Fix absolute redirect

Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
This commit is contained in:
John Molakvoæ (skjnldsv) 2020-04-10 08:50:15 +02:00
parent b68680596d
commit 6c49dc2d1f
No known key found for this signature in database
GPG Key ID: 60C25B8C072916CF
2 changed files with 5 additions and 5 deletions

View File

@ -260,7 +260,7 @@ class LoginController extends Controller {
private function generateRedirect(?string $redirectUrl): RedirectResponse {
if ($redirectUrl !== null && $this->userSession->isLoggedIn()) {
$location = $this->urlGenerator->getAbsoluteURL(urldecode($redirectUrl));
$location = $this->urlGenerator->getAbsoluteURL($redirectUrl);
// Deny the redirect if the URL contains a @
// This prevents unvalidated redirects like ?redirect_url=:user@domain.com
if (strpos($location, '@') === false) {

View File

@ -509,7 +509,7 @@ class LoginControllerTest extends TestCase {
->method('getUID')
->willReturn('jane');
$password = 'secret';
$originalUrl = 'another%20url';
$originalUrl = 'another url';
$redirectUrl = 'http://localhost/another url';
$this->request
@ -551,7 +551,7 @@ class LoginControllerTest extends TestCase {
$this->request,
$user,
$password,
'%2Fapps%2Fmail'
'/apps/mail'
);
$loginResult = LoginResult::success($loginData);
$this->chain->expects($this->once())
@ -563,11 +563,11 @@ class LoginControllerTest extends TestCase {
->willReturn(true);
$this->urlGenerator->expects($this->once())
->method('getAbsoluteURL')
->with(urldecode('/apps/mail'))
->with('/apps/mail')
->willReturn($redirectUrl);
$expected = new \OCP\AppFramework\Http\RedirectResponse($redirectUrl);
$response = $this->loginController->tryLogin($user, $password, '%2Fapps%2Fmail');
$response = $this->loginController->tryLogin($user, $password, '/apps/mail');
$this->assertEquals($expected, $response);
}