135/netdisco
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

avoid open redirect vulnerability with return_url login helper

Browse Source
This commit is contained in:
Oliver Gorwits
2023-06-28 16:56:04 +01:00
parent ef4e3f5181
commit a2da6a7a04
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lib/App/Netdisco/Web/AuthN.pm
View File

@@ -8,6 +8,7 @@ use Dancer::Plugin::Swagger;
use App::Netdisco; # a safe noop but needed for standalone testing use App::Netdisco; # a safe noop but needed for standalone testing
use App::Netdisco::Util::Web 'request_is_api'; use App::Netdisco::Util::Web 'request_is_api';
use MIME::Base64; use MIME::Base64;
use URI::Based;
# ensure that regardless of where the user is redirected, we have a link # ensure that regardless of where the user is redirected, we have a link
# back to the page they requested. # back to the page they requested.
@@ -162,7 +163,7 @@ post '/login' => sub {
return to_json { api_key => $user->token }; return to_json { api_key => $user->token };
} }
redirect param('return_url'); redirect ((scalar URI::Based->new(param('return_url'))->path_query) || '/');
} }
else { else {
# invalidate session cookie # invalidate session cookie