tyler.durden/icingaweb2
1
0
Fork 0
mirror of https://github.com/Icinga/icingaweb2.git synced 2025-07-28 00:04:04 +02:00
Code Issues Packages Projects Releases Wiki Activity

login: Don't redirect to external resources

Browse Source 
fixes #4945

(cherry picked from commit ec7fb82a94729cd541761509985fb9ffc03b9faa)
This commit is contained in:
Johannes Meyer 2022-12-01 14:07:29 +01:00
parent d00b3bf19c
commit ee43f4a002
2 changed files with 21 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
application/controllers/AuthenticationController.php
View File

@ -68,7 +68,18 @@ class AuthenticationController extends Controller
// Call provided AuthenticationHook(s) when login action is called // Call provided AuthenticationHook(s) when login action is called
// but icinga web user is already authenticated // but icinga web user is already authenticated
AuthenticationHook::triggerLogin($this->Auth()->getUser()); AuthenticationHook::triggerLogin($this->Auth()->getUser());
$this->redirectNow($this->params->get('redirect', $form->getRedirectUrl()));
$redirect = $this->params->get('redirect');
if ($redirect) {
$redirectUrl = Url::fromPath($redirect, [], $this->getRequest());
if ($redirectUrl->isExternal()) {
$this->httpBadRequest('nope');
}
} else {
$redirectUrl = $form->getRedirectUrl();
}
$this->redirectNow($redirectUrl);
} }
if (! $requiresSetup) { if (! $requiresSetup) {
$cookies = new CookieHelper($this->getRequest()); $cookies = new CookieHelper($this->getRequest());

10
application/forms/Authentication/LoginForm.php
View File

@ -10,6 +10,7 @@ use Icinga\Application\Logger;
use Icinga\Authentication\Auth; use Icinga\Authentication\Auth;
use Icinga\Authentication\User\ExternalBackend; use Icinga\Authentication\User\ExternalBackend;
use Icinga\Common\Database; use Icinga\Common\Database;
use Icinga\Exception\Http\HttpBadRequestException;
use Icinga\User; use Icinga\User;
use Icinga\Web\Form; use Icinga\Web\Form;
use Icinga\Web\RememberMe; use Icinga\Web\RememberMe;
@ -119,10 +120,17 @@ class LoginForm extends Form
if ($this->created) { if ($this->created) {
$redirect = $this->getElement('redirect')->getValue(); $redirect = $this->getElement('redirect')->getValue();
} }
if (empty($redirect) || strpos($redirect, 'authentication/logout') !== false) { if (empty($redirect) || strpos($redirect, 'authentication/logout') !== false) {
$redirect = static::REDIRECT_URL; $redirect = static::REDIRECT_URL;
} }
return Url::fromPath($redirect);
$redirectUrl = Url::fromPath($redirect);
if ($redirectUrl->isExternal()) {
throw new HttpBadRequestException('nope');
}
return $redirectUrl;
} }
/** /**