YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

[fix] Avoid redirection on unmanaged domains

Browse source
This commit is contained in:
ljf 2021-07-29 17:54:45 +02:00
parent ecaecddac5
commit d7cdc4d668
1 changed files with 9 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
helpers.lua
View file

@ -1012,14 +1012,6 @@ function login()
-- Forward the `r` URI argument if it exists to redirect -- Forward the `r` URI argument if it exists to redirect
-- the user properly after a successful login. -- the user properly after a successful login.
if uri_args.r then if uri_args.r then
-- If `uri_args.r` contains line break, someone is probably trying to
-- pass some additional headers
if string.match(uri_args.r, "(.*)\n") then
flash("fail", t("redirection_error_invalid_url"))
logger.debug("Redirection url is invalid")
return redirect(conf.portal_url)
end
return redirect(conf.portal_url.."?r="..uri_args.r) return redirect(conf.portal_url.."?r="..uri_args.r)
else else
return redirect(conf.portal_url) return redirect(conf.portal_url)
@ -1058,6 +1050,15 @@ end
-- Set cookie and redirect (needed to properly set cookie) -- Set cookie and redirect (needed to properly set cookie)
function redirect(url) function redirect(url)
logger.debug("Redirecting to "..url) logger.debug("Redirecting to "..url)
-- For security reason we don't allow to redirect onto unknown domain
-- And if `uri_args.r` contains line break, someone is probably trying to
-- pass some additional headers
local domain = url:match("^https?://([%w%.]*)/?")
if string.match(url, "(.*)\n") or not is_in_table(conf["domains"], domain) then
logger.debug("Unauthorized redirection to "..url)
flash("fail", t("redirection_error_invalid_url"))
url = conf.portal_url
end
return ngx.redirect(url) return ngx.redirect(url)
end end