FIX: Make serverside and clientside omniauth origin redirects consistent

Previously external domains were allowed in the client-side redirects, but not the server-side redirects. Now the behavior is to only allow local origins.
2025-05-31 11:27:52 +08:00 · 2019-05-15 09:55:31 +01:00
parent 64e81f0549
commit 1299c94a52
2 changed files with 20 additions and 8 deletions
--- a/app/controllers/users/omniauth_callbacks_controller.rb
+++ b/app/controllers/users/omniauth_callbacks_controller.rb
@ -44,18 +44,18 @@ class Users::OmniauthCallbacksController < ApplicationController
      @auth_result = authenticator.after_authenticate(auth)
    end

-    origin = request.env['omniauth.origin']
+    preferred_origin = request.env['omniauth.origin']

    if SiteSetting.enable_sso_provider && payload = cookies.delete(:sso_payload)
-      origin = session_sso_provider_url + "?" + payload
+      preferred_origin = session_sso_provider_url + "?" + payload
    elsif cookies[:destination_url].present?
-      origin = cookies[:destination_url]
+      preferred_origin = cookies[:destination_url]
      cookies.delete(:destination_url)
    end

-    if origin.present?
+    if preferred_origin.present?
      parsed = begin
-        URI.parse(origin)
+        URI.parse(preferred_origin)
      rescue URI::Error
      end

@ -69,7 +69,7 @@ class Users::OmniauthCallbacksController < ApplicationController
      @origin = Discourse.base_uri("/")
    end

-    @auth_result.destination_url = origin
+    @auth_result.destination_url = @origin

    if @auth_result.failed?
      flash[:error] = @auth_result.failed_reason.html_safe