github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 19:11:16 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: never redirect back to /sso it will cause a loop

Browse Source 
If for any reason our return url is set to `/sso` bypass using it
for login redirect
This commit is contained in:
Sam
2018-11-09 14:27:36 +11:00
parent 515e103db6
commit e6b3310577
2 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/session_controller.rb
View File

@ -168,6 +168,11 @@ class SessionController < ApplicationController
end end
end end
# never redirects back to sso in an sso loop
if return_path.start_with?(path("/sso"))
return_path = path("/")
end
redirect_to return_path redirect_to return_path
else else
render_sso_error(text: I18n.t("sso.not_found"), status: 500) render_sso_error(text: I18n.t("sso.not_found"), status: 500)

10
spec/requests/session_controller_spec.rb
View File

@ -303,6 +303,16 @@ RSpec.describe SessionController do
end end
it 'will never redirect back to /sso path' do
sso = get_sso("/sso?bla=1")
sso.email = user.email
sso.external_id = 'abc'
sso.username = 'sam'
get "/session/sso_login", params: Rack::Utils.parse_query(sso.payload), headers: headers
expect(response).to redirect_to('/')
end
it 'can take over an account' do it 'can take over an account' do
sso = get_sso("/") sso = get_sso("/")
user = Fabricate(:user) user = Fabricate(:user)