]> BookStack Code Mirror - bookstack/commitdiff
projects / bookstack / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side (parent: 2ed0317)
Updated public-login redirect to check url
authorDan Brown <redacted>
Tue, 28 Jul 2020 15:27:16 +0000 (16:27 +0100)
committerDan Brown <redacted>
Tue, 28 Jul 2020 15:29:06 +0000 (16:29 +0100)
Direct links to the login pages for public instances could lead to a
redirect back to an external page upon login.
This adds a check to ensure the URL is a URL expected from the current
bookstack instance, or at least under the same domain.

Fixes #2073

app/Http/Controllers/Auth/LoginController.php patch | blob | history
tests/Auth/AuthTest.php patch | blob | history

diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
index cd7a4db3201524c2de7fb1838cd90946ef14c805..8084ce1a5dcfa220af09c73b21f711bdcc363dce 100644 (file)
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@@ -77,9 +77,13 @@ class LoginController extends Controller
             ]);
         }
 
+        // Store the previous location for redirect after login
         $previous = url()->previous('');
-        if (setting('app-public') && $previous && $previous !== url('/login')) {
-            redirect()->setIntendedUrl($previous);
+        if ($previous && $previous !== url('/login') && setting('app-public')) {
+            $isPreviousFromInstance = (strpos($previous, url('/')) === 0);
+            if ($isPreviousFromInstance) {
+                redirect()->setIntendedUrl($previous);
+            }
         }
 
         return view('auth.login', [
diff --git a/tests/Auth/AuthTest.php b/tests/Auth/AuthTest.php
index 8900eeeba10e39c9a75590f716343b3f64124221..6257f841f9351db6d1eb4ffc2e961de6f4388b4b 100644 (file)
--- a/tests/Auth/AuthTest.php
+++ b/tests/Auth/AuthTest.php
@@ -381,6 +381,17 @@ class AuthTest extends BrowserKitTest
             ->seePageUrlIs($page->getUrl());
     }
 
+    public function test_login_intended_redirect_does_not_redirect_to_external_pages()
+    {
+        config()->set('app.url', 'http://localhost');
+        $this->setSettings(['app-public' => true]);
+
+        $this->get('/login', ['referer' => 'https://example.com']);
+        $login = $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
+
+        $login->assertRedirectedTo('http://localhost');
+    }
+
     public function test_login_authenticates_admins_on_all_guards()
     {
         $this->post('/login', ['email' => '[email protected]', 'password' => 'password']);
The core source code for the BookStack project.