Fix absolute redirect

Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
This commit is contained in:
John Molakvoæ (skjnldsv) 2020-04-10 08:50:15 +02:00
parent b68680596d
commit 6c49dc2d1f
No known key found for this signature in database
GPG Key ID: 60C25B8C072916CF
2 changed files with 5 additions and 5 deletions

View File

@ -260,7 +260,7 @@ class LoginController extends Controller {
private function generateRedirect(?string $redirectUrl): RedirectResponse { private function generateRedirect(?string $redirectUrl): RedirectResponse {
if ($redirectUrl !== null && $this->userSession->isLoggedIn()) { if ($redirectUrl !== null && $this->userSession->isLoggedIn()) {
$location = $this->urlGenerator->getAbsoluteURL(urldecode($redirectUrl)); $location = $this->urlGenerator->getAbsoluteURL($redirectUrl);
// Deny the redirect if the URL contains a @ // Deny the redirect if the URL contains a @
// This prevents unvalidated redirects like ?redirect_url=:user@domain.com // This prevents unvalidated redirects like ?redirect_url=:user@domain.com
if (strpos($location, '@') === false) { if (strpos($location, '@') === false) {

View File

@ -509,7 +509,7 @@ class LoginControllerTest extends TestCase {
->method('getUID') ->method('getUID')
->willReturn('jane'); ->willReturn('jane');
$password = 'secret'; $password = 'secret';
$originalUrl = 'another%20url'; $originalUrl = 'another url';
$redirectUrl = 'http://localhost/another url'; $redirectUrl = 'http://localhost/another url';
$this->request $this->request
@ -551,7 +551,7 @@ class LoginControllerTest extends TestCase {
$this->request, $this->request,
$user, $user,
$password, $password,
'%2Fapps%2Fmail' '/apps/mail'
); );
$loginResult = LoginResult::success($loginData); $loginResult = LoginResult::success($loginData);
$this->chain->expects($this->once()) $this->chain->expects($this->once())
@ -563,11 +563,11 @@ class LoginControllerTest extends TestCase {
->willReturn(true); ->willReturn(true);
$this->urlGenerator->expects($this->once()) $this->urlGenerator->expects($this->once())
->method('getAbsoluteURL') ->method('getAbsoluteURL')
->with(urldecode('/apps/mail')) ->with('/apps/mail')
->willReturn($redirectUrl); ->willReturn($redirectUrl);
$expected = new \OCP\AppFramework\Http\RedirectResponse($redirectUrl); $expected = new \OCP\AppFramework\Http\RedirectResponse($redirectUrl);
$response = $this->loginController->tryLogin($user, $password, '%2Fapps%2Fmail'); $response = $this->loginController->tryLogin($user, $password, '/apps/mail');
$this->assertEquals($expected, $response); $this->assertEquals($expected, $response);
} }