Updated public-login redirect to check url

Direct links to the login pages for public instances could lead to a redirect back to an external page upon login. This adds a check to ensure the URL is a URL expected from the current bookstack instance, or at least under the same domain. Fixes #2073
2024-07-07 20:02:40 +00:00 · 2020-07-28 16:27:16 +01:00 · 2020-07-28 16:27:16 +01:00 · 2c0fdf83c1
commit 2c0fdf83c1
parent 2ed0317129
2 changed files with 17 additions and 2 deletions
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@ -77,9 +77,13 @@ class LoginController extends Controller
            ]);
        }

+        // Store the previous location for redirect after login
        $previous = url()->previous('');
-        if (setting('app-public') && $previous && $previous !== url('/login')) {
-            redirect()->setIntendedUrl($previous);
+        if ($previous && $previous !== url('/login') && setting('app-public')) {
+            $isPreviousFromInstance = (strpos($previous, url('/')) === 0);
+            if ($isPreviousFromInstance) {
+                redirect()->setIntendedUrl($previous);
+            }
        }

        return view('auth.login', [
--- a/tests/Auth/AuthTest.php
+++ b/tests/Auth/AuthTest.php
@ -381,6 +381,17 @@ class AuthTest extends BrowserKitTest
            ->seePageUrlIs($page->getUrl());
    }

+    public function test_login_intended_redirect_does_not_redirect_to_external_pages()
+    {
+        config()->set('app.url', 'http://localhost');
+        $this->setSettings(['app-public' => true]);
+
+        $this->get('/login', ['referer' => 'https://example.com']);
+        $login = $this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);
+
+        $login->assertRedirectedTo('http://localhost');
+    }
+
    public function test_login_authenticates_admins_on_all_guards()
    {
        $this->post('/login', ['email' => 'admin@admin.com', 'password' => 'password']);