[fix] CVE-2018-11347 http header injection

2024-09-03 20:06:27 +02:00 · 2018-12-06 23:21:13 +01:00 · 2018-12-06 23:21:13 +01:00 · fe3d445507
commit fe3d445507
parent 23bde07c9b
1 changed files with 8 additions and 0 deletions
--- a/helpers.lua
+++ b/helpers.lua
@ -869,6 +869,14 @@ function login()
    -- Forward the `r` URI argument if it exists to redirect
    -- the user properly after a successful login.
    if uri_args.r then
+        -- If `uri_args.r` contains line break, someone is probably trying to
+        -- pass some additional headers
+        if string.match(uri_args.r, "(.*)\n") then
+            flash("fail", t("redirection_error_invalid_url"))
+            ngx.log(ngx.ERR, "Redirection url is invalid")
+            return redirect(conf.portal_url)
+        end
+
        return redirect(conf.portal_url.."?r="..uri_args.r)
    else
        return redirect(conf.portal_url)