github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-23 10:31:10 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FEATURE: setting to allow arbitrary redirects from sso origin

Browse Source 
if sso_allows_all_return_paths is set to true you can redirect off-site from sso success
This commit is contained in:
Sam
2016-12-16 13:37:44 +11:00
parent 6ff309aa80
commit 61eb134181
4 changed files with 16 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/session_controller.rb
View File

@ -118,7 +118,7 @@ class SessionController < ApplicationController
if return_path !~ /^\/[^\/]/ if return_path !~ /^\/[^\/]/
begin begin
uri = URI(return_path) uri = URI(return_path)
return_path = path("/") unless uri.host == Discourse.current_hostname return_path = path("/") unless SiteSetting.sso_allows_all_return_paths || uri.host == Discourse.current_hostname
rescue rescue
return_path = path("/") return_path = path("/")
end end

1
config/locales/server.en.yml
View File

@ -1020,6 +1020,7 @@ en:
sso_overrides_name: "Overrides local full name with external site full name from SSO payload on every login, and prevent local changes." sso_overrides_name: "Overrides local full name with external site full name from SSO payload on every login, and prevent local changes."
sso_overrides_avatar: "Overrides user avatar with external site avatar from SSO payload. If enabled, disabling allow_uploaded_avatars is highly recommended" sso_overrides_avatar: "Overrides user avatar with external site avatar from SSO payload. If enabled, disabling allow_uploaded_avatars is highly recommended"
sso_not_approved_url: "Redirect unapproved SSO accounts to this URL" sso_not_approved_url: "Redirect unapproved SSO accounts to this URL"
sso_allows_all_return_paths: "Do not restrict the domain for return_paths provided by SSO (by default return path must be on current site)"
enable_local_logins: "Enable local username and password login based accounts. (Note: this must be enabled for invites to work)" enable_local_logins: "Enable local username and password login based accounts. (Note: this must be enabled for invites to work)"
allow_new_registrations: "Allow new user registrations. Uncheck this to prevent anyone from creating a new account." allow_new_registrations: "Allow new user registrations. Uncheck this to prevent anyone from creating a new account."

1
config/site_settings.yml
View File

@ -298,6 +298,7 @@ login:
enable_sso: enable_sso:
client: true client: true
default: false default: false
sso_allows_all_return_paths: false
enable_sso_provider: false enable_sso_provider: false
verbose_sso_logging: false verbose_sso_logging: false
sso_url: sso_url:

13
spec/controllers/session_controller_spec.rb
View File

@ -141,6 +141,19 @@ describe SessionController do
expect(response).to redirect_to('/b/') expect(response).to redirect_to('/b/')
end end
it 'redirects to random url if it is allowed' do
SiteSetting.sso_allows_all_return_paths = true
sso = get_sso('https://gusundtrout.com')
sso.external_id = '666' # the number of the beast
sso.email = 'bob@bob.com'
sso.name = 'Sam Saffron'
sso.username = 'sam'
get :sso_login, Rack::Utils.parse_query(sso.payload)
expect(response).to redirect_to('https://gusundtrout.com')
end
it 'redirects to root if the host of the return_path is different' do it 'redirects to root if the host of the return_path is different' do
sso = get_sso('//eviltrout.com') sso = get_sso('//eviltrout.com')
sso.external_id = '666' # the number of the beast sso.external_id = '666' # the number of the beast