Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Do not make internal redirects during login failures#8535

Open
Inverle wants to merge 1 commit intoFreshRSS:edgefrom
Inverle:fix-login-get-bug
Open

Do not make internal redirects during login failures#8535
Inverle wants to merge 1 commit intoFreshRSS:edgefrom
Inverle:fix-login-get-bug

Conversation

@Inverle
Copy link
Member

@Inverle Inverle commented Feb 28, 2026
edited
Loading

Fixes a bug that makes FreshRSS send a GET login request after failing one login and trying again (see last line, earlier lines are included for context):

172.19.0.1 - - [28/Feb/2026:08:24:23 +0000] "GET /i/?a=normal&rid=69a2a44677f60&sort=title&order=DESC HTTP/1.1" 200 3057 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"
172.19.0.1 - - [28/Feb/2026:08:24:23 +0000] "GET /themes/icons/login.svg HTTP/1.1" 200 328 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"
172.19.0.1 - - [28/Feb/2026:08:24:23 +0000] "GET /themes/icons/key.svg HTTP/1.1" 200 353 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"
172.19.0.1 - - [28/Feb/2026:08:24:23 +0000] "GET /themes/icons/favicon-256.png HTTP/1.1" 200 16450 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"
172.19.0.1 - - [28/Feb/2026:08:24:23 +0000] "GET /favicon.ico HTTP/1.1" 200 18102 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"
172.19.0.1 - - [28/Feb/2026:08:24:23 +0000] "GET /themes/Origine/origine.css?1770567175 HTTP/1.1" 200 5527 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"
172.19.0.1 - - [28/Feb/2026:08:24:23 +0000] "GET /themes/base-theme/frss.css?1770567175 HTTP/1.1" 200 10116 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"
172.19.0.1 - - [28/Feb/2026:08:24:27 +0000] "GET /i/?c=javascript&a=nonce&user=user HTTP/1.1" 200 124 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"
FreshRSS[34]: [user] [Sat, 28 Feb 2026 08:24:27 +0000] [warning] --- Password mismatch for user=user, nonce=[REDACTED], c=$2b$04$5JwxRhi7icR6847LdDbDLOjj5/3FE91OcFk3glx1AynhH5DFBnGY.
172.19.0.1 - - [28/Feb/2026:08:24:27 +0000] "POST /i/?c=auth&a=login HTTP/1.1" 403 7424 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"
172.19.0.1 - - [28/Feb/2026:08:24:29 +0000] "GET /i/?c=javascript&a=nonce&user=user HTTP/1.1" 200 125 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"

172.19.0.1 - - [28/Feb/2026:08:24:29 +0000] "POST /i/?c=auth&a=login HTTP/1.1" 302 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/148.0"
# ^^^^^^^^^^^ post request is sent with earlier post fields included in original_request
172.19.0.1 - - [28/Feb/2026:08:24:29 +0000] "GET /i/?c=auth&a=login&_csrf=963cee5efb67819fdef80d91a3a46ba3080f19a5a6ef11514dfe62026fd1e826&original_request=eyJjIjoiaW5kZXgiLCJhIjoibm9ybWFsIiwicGFyYW1zIjp7InJpZCI6IjY5YTJhNDQ2NzdmNjAiLCJzb3
J0IjoidGl0bGUiLCJvcmRlciI6IkRFU0MifX0%3D&username=user&challenge=%242b%2404%245JwxRhi7icR6847LdDbDLOjj5%2F3FE91OcFk3glx1AynhH5DFBnGY.&rid=69a2a63dc8673 HTTP/1.1" 302 - "-" "Mozilla/5.0 (X11; Linux x86_64; rv:148.0) Gecko/20100101 Firefox/
148.0"
# ^^^^^^^^^^^ redirect is performed to the original_request url

reproduce by:

  1. logout
  2. login with a valid user but invalid password
  3. login with a valid user and valid password
  4. see the GET request in server logs or network tab

Though the main issue is that Minz_Request::forward confuses GET and POST params which both end up in the Location: redirect:

FreshRSS/lib/Minz/FrontController.php

Lines 42 to 47 in 41031fc

$url = Minz_Url::build();
$url['params'] = array_merge(
empty($url['params']) || !is_array($url['params']) ? [] : $url['params'],
array_filter($_POST, 'is_string', ARRAY_FILTER_USE_KEY)
);
Minz_Request::forward($url);

FreshRSS/lib/Minz/Request.php

Lines 491 to 509 in 41031fc

public static function forward(array $url = [], bool $redirect = false): void {
if (empty(Minz_Request::originalRequest())) {
self::$originalRequest = $url;
}
$url = Minz_Url::checkControllerUrl($url);
$url['params']['rid'] = self::requestId();
if ($redirect) {
header('Location: ' . Minz_Url::display($url, 'php', 'root'));
exit();
} else {
self::_controllerName($url['c']);
self::_actionName($url['a']);
$merge = array_merge(self::$params, $url['params']);
self::_params($merge);
Minz_Dispatcher::reset();
}
}

see:

$merge = array_merge(self::$params, $url['params']); 
self::_params($merge);

those params end up:

header('Location: ' . Minz_Url::display($url /* here */, 'php', 'root'));

@Inverle Inverle added this to the 1.29.0 milestone Feb 28, 2026
@Inverle Inverle added the Bug (confirmed) 🐞 issues that are reproducible label Feb 28, 2026
@Alkarex
Copy link
Member

Alkarex commented Mar 1, 2026

I have not checked yet, but after this PR, are we still returning a proper HTTP 403 in case of the corresponding error?
See #2903

@Inverle
Copy link
Member Author

Inverle commented Mar 1, 2026
edited
Loading

I have not checked yet, but after this PR, are we still returning a proper HTTP 403 in case of the corresponding error? See #2903

No

image

I'm guessing the response after 302 would have to be 403 then? (though it won't show 403 next to login in server logs anymore)

@Alkarex
Copy link
Member

Alkarex commented Mar 1, 2026

I'm guessing the response after 302 would have to be 403 then? (though it won't show 403 next to login in server logs anymore)

If possible, I would like a 403 at the first response (also to help tools such as Fail2Ban depending on those status codes)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Bug (confirmed) 🐞 issues that are reproducible

Projects

None yet

Milestone

1.29.0

Development

Successfully merging this pull request may close these issues.

2 participants

@Inverle @Alkarex