Updated public-login redirect to check url
Direct links to the login pages for public instances could lead to a redirect back to an external page upon login. This adds a check to ensure the URL is a URL expected from the current bookstack instance, or at least under the same domain. Fixes #2073
This commit is contained in:
parent
2ed0317129
commit
2c0fdf83c1
@ -77,10 +77,14 @@ class LoginController extends Controller
|
|||||||
]);
|
]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Store the previous location for redirect after login
|
||||||
$previous = url()->previous('');
|
$previous = url()->previous('');
|
||||||
if (setting('app-public') && $previous && $previous !== url('/login')) {
|
if ($previous && $previous !== url('/login') && setting('app-public')) {
|
||||||
|
$isPreviousFromInstance = (strpos($previous, url('/')) === 0);
|
||||||
|
if ($isPreviousFromInstance) {
|
||||||
redirect()->setIntendedUrl($previous);
|
redirect()->setIntendedUrl($previous);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return view('auth.login', [
|
return view('auth.login', [
|
||||||
'socialDrivers' => $socialDrivers,
|
'socialDrivers' => $socialDrivers,
|
||||||
|
@ -381,6 +381,17 @@ class AuthTest extends BrowserKitTest
|
|||||||
->seePageUrlIs($page->getUrl());
|
->seePageUrlIs($page->getUrl());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function test_login_intended_redirect_does_not_redirect_to_external_pages()
|
||||||
|
{
|
||||||
|
config()->set('app.url', 'http://localhost');
|
||||||
|
$this->setSettings(['app-public' => true]);
|
||||||
|
|
||||||
|
$this->get('/login', ['referer' => 'https://example.com']);
|
||||||
|
$login = $this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);
|
||||||
|
|
||||||
|
$login->assertRedirectedTo('http://localhost');
|
||||||
|
}
|
||||||
|
|
||||||
public function test_login_authenticates_admins_on_all_guards()
|
public function test_login_authenticates_admins_on_all_guards()
|
||||||
{
|
{
|
||||||
$this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);
|
$this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);
|
||||||
|
Loading…
x
Reference in New Issue
Block a user