From 253cde4b9ae03509f0da4687884b00fc5c28c950 Mon Sep 17 00:00:00 2001
From: Laurent Peuch <cortex@worlddomination.be>
Date: Thu, 6 Dec 2018 23:21:13 +0100
Subject: [PATCH] [fix] CVE-2018-11347 http header injection

---
 helpers.lua | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/helpers.lua b/helpers.lua
index 9aff1b2..afda962 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -910,6 +910,14 @@ function login()
     -- Forward the `r` URI argument if it exists to redirect
     -- the user properly after a successful login.
     if uri_args.r then
+        -- If `uri_args.r` contains line break, someone is probably trying to
+        -- pass some additional headers
+        if string.match(uri_args.r, "(.*)\n") then
+            flash("fail", t("redirection_error_invalid_url"))
+            ngx.log(ngx.ERR, "Redirection url is invalid")
+            return redirect(conf.portal_url)
+        end
+
         return redirect(conf.portal_url.."?r="..uri_args.r)
     else
         return redirect(conf.portal_url)