fix: prevent malicious url in unsupported browser redirect

Signed-off-by: John Molakvoæ <skjnldsv@protonmail.com>
author: John Molakvoæ <skjnldsv@protonmail.com> 2023-05-11 08:56:15 +0200
committer: John Molakvoæ <skjnldsv@protonmail.com> 2023-05-11 08:56:15 +0200
commit: 68abba8d73612175441221dd60e201dbeb9f694a (patch)
tree: e2ced7a2a985d4705c825d4795bf6f6dc6742821 /core
parent: db026840082432f8b851171a8f0e8374de818ee1 (diff)
download: nextcloud-server-68abba8d73612175441221dd60e201dbeb9f694a.tar.gz
nextcloud-server-68abba8d73612175441221dd60e201dbeb9f694a.zip
1 files changed, 4 insertions, 2 deletions
diff --git a/core/src/views/UnsupportedBrowser.vue b/core/src/views/UnsupportedBrowser.vue
index bf45919d2bd..f9125fa9958 100644
--- a/core/src/views/UnsupportedBrowser.vue
+++ b/core/src/views/UnsupportedBrowser.vue
@@ -141,8 +141,10 @@ export default {
 			const urlParams = new URLSearchParams(window.location.search)
 			if (urlParams.has('redirect_url')) {
 				const redirectPath = Buffer.from(urlParams.get('redirect_url'), 'base64').toString() || '/'
-				window.location = redirectPath
-				return
+				if (redirectPath.startsWith('/')) {
+					window.location = generateUrl(redirectPath)
+					return
+				}
 			}
 			window.location = generateUrl('/')
 		},
author	John Molakvoæ <skjnldsv@protonmail.com>	2023-05-11 08:56:15 +0200
committer	John Molakvoæ <skjnldsv@protonmail.com>	2023-05-11 08:56:15 +0200
commit	68abba8d73612175441221dd60e201dbeb9f694a (patch)
tree	e2ced7a2a985d4705c825d4795bf6f6dc6742821 /core
parent	db026840082432f8b851171a8f0e8374de818ee1 (diff)
download	nextcloud-server-68abba8d73612175441221dd60e201dbeb9f694a.tar.gz nextcloud-server-68abba8d73612175441221dd60e201dbeb9f694a.zip