From 1cffbc903455256f72dd27ba08fb59d726538dc5 Mon Sep 17 00:00:00 2001
From: Thomas Gelf <thomas@gelf.net>
Date: Tue, 19 Aug 2014 09:30:54 +0200
Subject: [PATCH] LoginForm: add "redirect" POST field

Instead of blindly trusting the redirect parameter in the URL this
creates a hidden form field and explicitely set's the form action
to the current URL without the redirect parameter.

refs #6584
---
 application/forms/Authentication/LoginForm.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/application/forms/Authentication/LoginForm.php b/application/forms/Authentication/LoginForm.php
index cbe25b623..f7fc9f22e 100644
--- a/application/forms/Authentication/LoginForm.php
+++ b/application/forms/Authentication/LoginForm.php
@@ -5,6 +5,7 @@
 namespace Icinga\Form\Authentication;
 
 use Icinga\Web\Form;
+use Icinga\Web\Url;
 
 /**
  * Class LoginForm
@@ -16,12 +17,19 @@ class LoginForm extends Form
      */
     protected function create()
     {
+        $url = Url::fromRequest();
+        
         $this->setName('form_login');
         $this->addElement('text', 'username', array(
             'label'       => t('Username'),
             'placeholder' => t('Please enter your username...'),
             'required'    => true,
         ));
+        $redir = $this->addElement('hidden', 'redirect');
+        $redirectUrl = $url->shift('redirect');
+        if ($redirectUrl) {
+            $this->setDefault('redirect', $redirectUrl);
+        }
 
         $this->addElement('password', 'password', array(
             'label'       => t('Password'),
@@ -34,6 +42,7 @@ class LoginForm extends Form
         } else {
             $this->getElement('username')->setAttrib('class', 'autofocus');
         }
+        $this->setAction((string) $url);
         $this->setSubmitLabel('Login');
     }
 }