From c2c73a6b24050626bce2373474a6dc320a80c2dc Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Sun, 19 Sep 2021 21:15:36 +0200
Subject: [PATCH] Update helpers.lua

---
 helpers.lua | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/helpers.lua b/helpers.lua
index a060291..6ddf7b5 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -1060,6 +1060,16 @@ function redirect(url)
     -- For security reason we don't allow to redirect onto unknown domain
     -- And if `uri_args.r` contains line break, someone is probably trying to
     -- pass some additional headers
+
+    -- This should cover the following cases:
+    -- https://malicious.domain.tld/foo/bar
+    -- http://malicious.domain.tld/foo/bar
+    -- https://malicious.domain.tld:1234/foo
+    -- malicious.domain.tld/foo/bar
+    -- (/foo/bar, in which case no need to make sure it's prefixed with https://)
+    if not string.starts(url, "/") and not string.starts(url, "http://") and not string.starts(url, "https://") then
+        url = "https://"..url
+    end
     local domain = url:match("^https?://([%w%.]*)/?")
     if string.match(url, "(.*)\n") or (domain ~= nil and not is_in_table(conf["domains"], domain)) then
         logger.debug("Unauthorized redirection to "..url)