From 03113745d191afa8a6c729b6da24033f53f3e328 Mon Sep 17 00:00:00 2001
From: ljf <ljf+github@grimaud.me>
Date: Sat, 14 Sep 2019 19:58:58 +0200
Subject: [PATCH 1/2] [fix] Avoid remote unencrypted destination in proxy mode

---
 scripts/install | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/scripts/install b/scripts/install
index dc53e28..a663b8d 100644
--- a/scripts/install
+++ b/scripts/install
@@ -53,6 +53,12 @@ url_regex='(https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=
 [[ ! $redirect_path =~ $url_regex ]] && ynh_die \
 "Invalid destination: $redirect_path" 1
 
+# Avoid uncrypted remote destination with reverse proxy mode
+# Indeed the SSO send the password in all requests in HTTP headers
+url_regex='(http://(127.\d+.\d+.\d+|localhost)(:\d+)?/|https://)[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]'
+[[ "$redirect_type" = "proxy" ]] && [[ ! $redirect_path =~ $url_regex ]] && ynh_die \
+"For secure reason, you can't use an unencrypted http remote destination couple with ssowat for your reverse proxy: $redirect_path" 1
+
 # Save extra settings
 yunohost app setting $app is_public -v "$is_public"
 yunohost app setting $app redirect_type -v "$redirect_type"

From 0637590f951445463eb44541bd70abd18a1dae05 Mon Sep 17 00:00:00 2001
From: ljf <ljf+github@grimaud.me>
Date: Mon, 16 Sep 2019 22:46:52 +0200
Subject: [PATCH 2/2] [fix] Bad regex

---
 scripts/install | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/install b/scripts/install
index a663b8d..935709e 100644
--- a/scripts/install
+++ b/scripts/install
@@ -55,7 +55,7 @@ url_regex='(https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=
 
 # Avoid uncrypted remote destination with reverse proxy mode
 # Indeed the SSO send the password in all requests in HTTP headers
-url_regex='(http://(127.\d+.\d+.\d+|localhost)(:\d+)?/|https://)[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%=~_|]'
+url_regex='^(http://(127\.[0-9]+\.[0-9]+\.[0-9]+|localhost)|https://.*)(:[0-9]+)?(/.*)?$'
 [[ "$redirect_type" = "proxy" ]] && [[ ! $redirect_path =~ $url_regex ]] && ynh_die \
 "For secure reason, you can't use an unencrypted http remote destination couple with ssowat for your reverse proxy: $redirect_path" 1