YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

Update helpers.lua

Browse source
This commit is contained in:
Alexandre Aubin 2021-09-19 21:15:36 +02:00 committed by GitHub
parent 2f5d53540f
commit c2c73a6b24
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
helpers.lua
View file

@ -1060,6 +1060,16 @@ function redirect(url)
-- For security reason we don't allow to redirect onto unknown domain
-- And if `uri_args.r` contains line break, someone is probably trying to
-- pass some additional headers
-- This should cover the following cases:
-- https://malicious.domain.tld/foo/bar
-- http://malicious.domain.tld/foo/bar
-- https://malicious.domain.tld:1234/foo
-- malicious.domain.tld/foo/bar
-- (/foo/bar, in which case no need to make sure it's prefixed with https://)
if not string.starts(url, "/") and not string.starts(url, "http://") and not string.starts(url, "https://") then
url = "https://"..url
end
local domain = url:match("^https?://([%w%.]*)/?")
if string.match(url, "(.*)\n") or (domain ~= nil and not is_in_table(conf["domains"], domain)) then
logger.debug("Unauthorized redirection to "..url)