From d7cdc4d66840512dee7c08ae2603906597b797f4 Mon Sep 17 00:00:00 2001
From: ljf <ljf+git@grimaud.me>
Date: Thu, 29 Jul 2021 17:54:45 +0200
Subject: [PATCH] [fix] Avoid redirection on unmanaged domains

---
 helpers.lua | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/helpers.lua b/helpers.lua
index 0b89466..c2f7f88 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -1012,14 +1012,6 @@ function login()
     -- Forward the `r` URI argument if it exists to redirect
     -- the user properly after a successful login.
     if uri_args.r then
-        -- If `uri_args.r` contains line break, someone is probably trying to
-        -- pass some additional headers
-        if string.match(uri_args.r, "(.*)\n") then
-            flash("fail", t("redirection_error_invalid_url"))
-            logger.debug("Redirection url is invalid")
-            return redirect(conf.portal_url)
-        end
-
         return redirect(conf.portal_url.."?r="..uri_args.r)
     else
         return redirect(conf.portal_url)
@@ -1058,6 +1050,15 @@ end
 -- Set cookie and redirect (needed to properly set cookie)
 function redirect(url)
     logger.debug("Redirecting to "..url)
+    -- For security reason we don't allow to redirect onto unknown domain
+    -- And if `uri_args.r` contains line break, someone is probably trying to
+    -- pass some additional headers
+    local domain = url:match("^https?://([%w%.]*)/?")
+    if string.match(url, "(.*)\n") or not is_in_table(conf["domains"], domain) then
+        logger.debug("Unauthorized redirection to "..url)
+        flash("fail", t("redirection_error_invalid_url"))
+        url = conf.portal_url
+    end
     return ngx.redirect(url)
 end