YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

[fix] Validate domain & url before redirection on login.

Browse source
This commit is contained in:
opi 2017-02-23 23:15:30 +01:00
parent e6631df5b1
commit 9956a7c1c1
2 changed files with 33 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
access.lua
View file

@ -79,6 +79,7 @@ then
return hlp.redirect(conf.portal_url) return hlp.redirect(conf.portal_url)
end end
-- Get request arguments
uri_args = ngx.req.get_uri_args() uri_args = ngx.req.get_uri_args()
-- Logout is also called via a `GET` method -- Logout is also called via a `GET` method
@ -89,8 +90,38 @@ then
-- If the `r` URI argument is set, it means that we want to -- If the `r` URI argument is set, it means that we want to
-- be redirected (typically after a login phase) -- be redirected (typically after a login phase)
elseif hlp.is_logged_in() and uri_args.r then elseif hlp.is_logged_in() and uri_args.r then
-- Decode back url
back_url = ngx.decode_base64(uri_args.r) back_url = ngx.decode_base64(uri_args.r)
-- If `back_url` contains line break, someone is probably trying to
-- pass some additional headers
if string.match(back_url, "(.*)\n") then
hlp.flash("fail", hlp.t("redirection_error_invalid_url"))
ngx.log(ngx.ERR, "Redirection url is invalid")
return hlp.redirect(conf.portal_url)
end
-- Get managed domains
conf = config.get_config()
local managed_domain = false
for _, domain in ipairs(conf["domains"]) do
local escaped_domain = domain:gsub("-", "%%-") -- escape dash for pattern matching
if string.match(back_url, "^http[s]?://"..escaped_domain.."/") then
ngx.log(ngx.INFO, "Redirection to a managed domain found")
managed_domain = true
break
end
end
-- If redirection does not match one of the managed domains
-- redirect to portal home page
if not managed_domain then
hlp.flash("fail", hlp.t("redirection_error_unmanaged_domain"))
ngx.log(ngx.ERR, "Redirection to an external domain aborted")
return hlp.redirect(conf.portal_url)
end
-- In case the `back_url` is not on the same domain than the -- In case the `back_url` is not on the same domain than the
-- current one, create a redirection with a CDA key -- current one, create a redirection with a CDA key
local ngx_host_escaped = ngx.var.host:gsub("-", "%%-") -- escape dash for pattern matching local ngx_host_escaped = ngx.var.host:gsub("-", "%%-") -- escape dash for pattern matching

2
portal/locales/en.json
View file

@ -34,6 +34,8 @@
"logged_out": "Logged out", "logged_out": "Logged out",
"please_login": "Please log in to access to this content", "please_login": "Please log in to access to this content",
"please_login_from_portal": "Please log in from the portal", "please_login_from_portal": "Please log in from the portal",
"redirection_error_invalid_url": "Redirection error: Invalid url",
"redirection_error_unmanaged_domain": "Redirection error: Unmanaged domain",
"footerlink_edit": "Edit my profile", "footerlink_edit": "Edit my profile",
"footerlink_documentation": "Documentation", "footerlink_documentation": "Documentation",
"footerlink_support": "Support", "footerlink_support": "Support",