kenmirrors/firefly-iii
1
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-09-04 03:43:07 +00:00
Code Issues Projects Releases Wiki Activity

Refuse unsecure redirect urls

Browse Source
This commit is contained in:
James Cole
2021-10-02 12:50:21 +02:00
parent 437f939c57
commit 2e3877f770
1 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
app/Support/Http/Controllers/UserNavigation.php
View File

@@ -176,11 +176,24 @@ trait UserNavigation
/** @var ViewErrorBag|null $errors */
$errors = session()->get('errors');
$forbidden = ['json', 'debug'];
if ((null === $errors || (0 === $errors->count())) && !Str::contains($return, $forbidden)) {
// get default host:
$default = parse_url(route('index'), PHP_URL_HOST);
// get host of previous URL:
$previous = parse_url($return, PHP_URL_HOST);
if ($default === $previous && (null === $errors || (0 === $errors->count())) && !Str::contains($return, $forbidden)) {
Log::debug(sprintf('Saving URL %s under key %s', $return, $identifier));
session()->put($identifier, $return);
return $return;
}
// if no match, save default URL:
Log::info(sprintf('Refuse to set "%s" as redirect, set default route instead.', $return));
session()->put($identifier, route('index'));
return $return;
}
}