From 3ae4fcd1f7cc45d709be71fed53579ffe684726d Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 9 Nov 2018 17:03:42 +1100 Subject: [PATCH] Improve redirect avoidance for /sso paths e6b3310577582fc702913ac084d41bdf7006439d was missing an ege case where return url included current_hostname --- app/controllers/session_controller.rb | 6 +++++- spec/requests/session_controller_spec.rb | 9 +++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb index 175844a8204..fbd9859e6af 100644 --- a/app/controllers/session_controller.rb +++ b/app/controllers/session_controller.rb @@ -162,7 +162,11 @@ class SessionController < ApplicationController if return_path !~ /^\/[^\/]/ begin uri = URI(return_path) - return_path = path("/") unless SiteSetting.sso_allows_all_return_paths || uri.host == Discourse.current_hostname + if (uri.hostname == Discourse.current_hostname) + return_path = uri.request_uri + elsif !SiteSetting.sso_allows_all_return_paths + return_path = path("/") + end rescue return_path = path("/") end diff --git a/spec/requests/session_controller_spec.rb b/spec/requests/session_controller_spec.rb index 96427a9d76f..7264196a618 100644 --- a/spec/requests/session_controller_spec.rb +++ b/spec/requests/session_controller_spec.rb @@ -311,6 +311,15 @@ RSpec.describe SessionController do get "/session/sso_login", params: Rack::Utils.parse_query(sso.payload), headers: headers expect(response).to redirect_to('/') + + sso = get_sso("http://#{Discourse.current_hostname}/sso?bla=1") + sso.email = user.email + sso.external_id = 'abc' + sso.username = 'sam' + + get "/session/sso_login", params: Rack::Utils.parse_query(sso.payload), headers: headers + expect(response).to redirect_to('/') + end it 'can take over an account' do