Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-31 19:15:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

fixes #4966

Browse Source
This commit is contained in:
Julian Lam
2016-08-22 16:24:28 -04:00
parent de49de3c56
commit 60ea7d5121
4 changed files with 19 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/controllers/authentication.js
View File

@@ -6,6 +6,7 @@ var passport = require('passport');
var nconf = require('nconf');
var validator = require('validator');
var _ = require('underscore');
var url = require('url');
var db = require('../database');
var meta = require('../meta');
@@ -168,7 +169,7 @@ authenticationController.registerComplete = function(req, res, next) {
} else {
res.redirect(nconf.get('relative_path') + '/');
}
}
};
async.parallel(callbacks, function(err) {
if (err) {
@@ -187,7 +188,7 @@ authenticationController.registerComplete = function(req, res, next) {
});
};
authenticationController.registerAbort = function(req, res, next) {
authenticationController.registerAbort = function(req, res) {
// End the session and redirect to home
req.session.destroy(function() {
res.redirect(nconf.get('relative_path') + '/');
@@ -197,7 +198,11 @@ authenticationController.registerAbort = function(req, res, next) {
authenticationController.login = function(req, res, next) {
// Handle returnTo data
if (req.body.hasOwnProperty('returnTo') && !req.session.returnTo) {
req.session.returnTo = req.body.returnTo;
// As req.body is data obtained via userland, it is untrusted, restrict to internal links only
var parsed = url.parse(req.body.returnTo);
var isInternal = utils.isInternalURI(url.parse(req.body.returnTo), nconf.get('url_parsed'), nconf.get('relative_path'));
req.session.returnTo = isInternal ? req.body.returnTo : nconf.get('url');
}
if (plugins.hasListeners('action:auth.overrideLogin')) {