No redirection to frontpage after login

this looks like a bug introduced in 6.16 - it's testing if $destination is not empty, should test that it is not FALSE to allow for an empty string. this is the change in question, i believe - a copy of a Drupal 5 change?

anyway, changing that test makes an empty destination - where the url has destination= - work again.

=== and !== are strict about data types. so 0 == "" is true but 0 === "" is not true. and yes about the patch. i don't know what the related 5.x change was, it might be that something needs fixing there too.

ah, i was misreading the revision log. it looks like this was part of a security fix in the latest releases of 6.x and 5.x. this fix ought to be OK but yes, someone needs to review it. the automated system is trying to apply it to 7.x as far as i can tell and that will never work anyway. fwiw, i'm attaching a new file against CVS DRUPAL-6.

trying again...

As an FYI for other users this same problem can be reproduced using the Email Registration module. That module redirects to the user page when a user is authenticated. It took me a while to track that issue down today and wanted to share.

i don't seem to be able to make this patch file correctly. any suggestions anyone might have as to what might be wrong would be great. meantime, here's another go, against 6.17

(subscribe)

Try to visit admin/config/system/site-information and see at the end of the page what address is set like homepage (by default is /node) and put it like destination.

reroll against 6.x from git - let's see if it gets tested........

Hi there,

I'm on 6.20 and getting a similar issue where only in case of a failed login I'm getting Server Error (in Chrome) and white screen in FF - this page is appended with destination=node%2F793. If I remove the =node%2F793 or the whole destination=node%2F793 I'll get my page as desired - with a warning that I've entered wrong password or username.
It also appears fine if I reload the page.

This happens if I enter wrong login to the site (password or username) while going into it from a login box placed in Panel on the page which is permission protected.

If I do this from /user or /admin this is fine.

I've tried disabling the login toboggan and login destinations but with no result.
Any help will be much appreciated.

Cheers,

Pav

Restored actual issue title and last tested version. This bug is still present in 6.24. I will try to create a patch file again. If anyone reads this who has a better grasp on that, the change is extremely simple, to line 327 of includes/common.inc:

-  if ($destination) {
+  if ($destination !== FALSE) {
     // Do not redirect to an absolute URL originating from user input.