From 6c49dc2d1f602752831901a4202a87806f7e4732 Mon Sep 17 00:00:00 2001 From: =?utf8?q?John=20Molakvo=C3=A6=20=28skjnldsv=29?= Date: Fri, 10 Apr 2020 08:50:15 +0200 Subject: [PATCH] Fix absolute redirect MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: John Molakvoæ (skjnldsv) --- core/Controller/LoginController.php | 2 +- tests/Core/Controller/LoginControllerTest.php | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php index b3f7bb310ba..60fd22bd0d1 100644 --- a/core/Controller/LoginController.php +++ b/core/Controller/LoginController.php @@ -260,7 +260,7 @@ class LoginController extends Controller { private function generateRedirect(?string $redirectUrl): RedirectResponse { if ($redirectUrl !== null && $this->userSession->isLoggedIn()) { - $location = $this->urlGenerator->getAbsoluteURL(urldecode($redirectUrl)); + $location = $this->urlGenerator->getAbsoluteURL($redirectUrl); // Deny the redirect if the URL contains a @ // This prevents unvalidated redirects like ?redirect_url=:user@domain.com if (strpos($location, '@') === false) { diff --git a/tests/Core/Controller/LoginControllerTest.php b/tests/Core/Controller/LoginControllerTest.php index 80be53ed26d..e9d4a89aa7d 100644 --- a/tests/Core/Controller/LoginControllerTest.php +++ b/tests/Core/Controller/LoginControllerTest.php @@ -509,7 +509,7 @@ class LoginControllerTest extends TestCase { ->method('getUID') ->willReturn('jane'); $password = 'secret'; - $originalUrl = 'another%20url'; + $originalUrl = 'another url'; $redirectUrl = 'http://localhost/another url'; $this->request @@ -551,7 +551,7 @@ class LoginControllerTest extends TestCase { $this->request, $user, $password, - '%2Fapps%2Fmail' + '/apps/mail' ); $loginResult = LoginResult::success($loginData); $this->chain->expects($this->once()) @@ -563,11 +563,11 @@ class LoginControllerTest extends TestCase { ->willReturn(true); $this->urlGenerator->expects($this->once()) ->method('getAbsoluteURL') - ->with(urldecode('/apps/mail')) + ->with('/apps/mail') ->willReturn($redirectUrl); $expected = new \OCP\AppFramework\Http\RedirectResponse($redirectUrl); - $response = $this->loginController->tryLogin($user, $password, '%2Fapps%2Fmail'); + $response = $this->loginController->tryLogin($user, $password, '/apps/mail'); $this->assertEquals($expected, $response); } -- 2.39.5