From 0e6369bb38b75e767a456797f0f7dd4ebb066101 Mon Sep 17 00:00:00 2001 From: Kayou Date: Mon, 15 Nov 2021 00:49:51 +0100 Subject: [PATCH 1/2] fix not only alphanumeric characters domain name --- helpers.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpers.lua b/helpers.lua index 6ddf7b5..5728a17 100644 --- a/helpers.lua +++ b/helpers.lua @@ -1070,7 +1070,7 @@ function redirect(url) if not string.starts(url, "/") and not string.starts(url, "http://") and not string.starts(url, "https://") then url = "https://"..url end - local domain = url:match("^https?://([%w%.]*)/?") + local domain = url:match("^https?://([^/]+)/?") if string.match(url, "(.*)\n") or (domain ~= nil and not is_in_table(conf["domains"], domain)) then logger.debug("Unauthorized redirection to "..url) flash("fail", t("redirection_error_invalid_url")) From 325964742d890b67206c93f38cdf4b42f75164a4 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 15 Nov 2021 19:02:13 +0100 Subject: [PATCH 2/2] Improve check for unauthorized redirect url Co-authored-by: Kayou --- helpers.lua | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/helpers.lua b/helpers.lua index 5728a17..b2d0046 100644 --- a/helpers.lua +++ b/helpers.lua @@ -1070,8 +1070,11 @@ function redirect(url) if not string.starts(url, "/") and not string.starts(url, "http://") and not string.starts(url, "https://") then url = "https://"..url end - local domain = url:match("^https?://([^/]+)/?") - if string.match(url, "(.*)\n") or (domain ~= nil and not is_in_table(conf["domains"], domain)) then + local is_known_domain = false + for _, domain in ipairs(conf["domains"]) do + is_known_domain = is_known_domain or url:match("^https?://"..domain.."/?") ~= nil + end + if string.match(url, "(.*)\n") or not is_known_domain then logger.debug("Unauthorized redirection to "..url) flash("fail", t("redirection_error_invalid_url")) url = conf.portal_url