mirror of
https://github.com/Suwayomi/Suwayomi-Server.git
synced 2026-07-04 11:24:35 -05:00
* [#1749] Only consider path in SIMPLE_LOGIN redirect We don't really care about the origin, since that is implicit in `Location` headers if not given, which sidesteps the HTTP/HTTPS issue * Refuse non-relative redirects
This commit is contained in:
@@ -42,6 +42,7 @@ import suwayomi.tachidesk.server.util.Browser
|
|||||||
import suwayomi.tachidesk.server.util.ServerSubpath
|
import suwayomi.tachidesk.server.util.ServerSubpath
|
||||||
import suwayomi.tachidesk.server.util.WebInterfaceManager
|
import suwayomi.tachidesk.server.util.WebInterfaceManager
|
||||||
import java.io.IOException
|
import java.io.IOException
|
||||||
|
import java.net.URI
|
||||||
import java.net.URLEncoder
|
import java.net.URLEncoder
|
||||||
import java.util.Locale
|
import java.util.Locale
|
||||||
import java.util.concurrent.CompletableFuture
|
import java.util.concurrent.CompletableFuture
|
||||||
@@ -149,6 +150,10 @@ object JavalinSetup {
|
|||||||
|
|
||||||
if (isValid) {
|
if (isValid) {
|
||||||
val redirect = ctx.queryParam("redirect") ?: ServerSubpath.maybeAddAsPrefix("/")
|
val redirect = ctx.queryParam("redirect") ?: ServerSubpath.maybeAddAsPrefix("/")
|
||||||
|
val uri = URI(redirect)
|
||||||
|
if (uri.host != null || uri.scheme != null) {
|
||||||
|
throw IllegalArgumentException("Given redirect is not relative, refusing")
|
||||||
|
}
|
||||||
// NOTE: We currently have no session handler attached.
|
// NOTE: We currently have no session handler attached.
|
||||||
// Thus, all sessions are stored in memory and not persisted.
|
// Thus, all sessions are stored in memory and not persisted.
|
||||||
// Furthermore, default session timeout appears to be 30m
|
// Furthermore, default session timeout appears to be 30m
|
||||||
@@ -199,7 +204,8 @@ object JavalinSetup {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (authMode == AuthMode.SIMPLE_LOGIN && !cookieValid() && !isApi) {
|
if (authMode == AuthMode.SIMPLE_LOGIN && !cookieValid() && !isApi) {
|
||||||
val url = "$loginPath?redirect=" + URLEncoder.encode(ctx.fullUrl(), Charsets.UTF_8)
|
val url =
|
||||||
|
"$loginPath?redirect=" + URLEncoder.encode(ctx.path() + (ctx.queryString()?.let { "?" + it } ?: ""), Charsets.UTF_8)
|
||||||
ctx.header("Location", url)
|
ctx.header("Location", url)
|
||||||
throw RedirectResponse(HttpStatus.SEE_OTHER)
|
throw RedirectResponse(HttpStatus.SEE_OTHER)
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user