fixes #4966

2025-11-02 12:05:57 +01:00 · 2016-08-22 16:24:28 -04:00
parent de49de3c56
commit 60ea7d5121
4 changed files with 19 additions and 6 deletions
--- a/app.js
+++ b/app.js
@@ -103,6 +103,8 @@ function loadConfig() {
 	nconf.set('themes_path', path.resolve(__dirname, nconf.get('themes_path')));
 	nconf.set('core_templates_path', path.join(__dirname, 'src/views'));
 	nconf.set('base_templates_path', path.join(nconf.get('themes_path'), 'nodebb-theme-persona/templates'));
 	nconf.set('url_parsed', url.parse(nconf.get('url')));
 }
--- a/public/src/ajaxify.js
+++ b/public/src/ajaxify.js
@@ -334,9 +334,7 @@ $(document).ready(function() {
 				return;
 			}
-			var internalLink = this.host === '' ||	// Relative paths are always internal links
+			var internalLink = utils.isInternalURI(this, window.location, RELATIVE_PATH);
 				(this.host === window.location.host && this.protocol === window.location.protocol &&	// Otherwise need to check if protocol and host match
 				(RELATIVE_PATH.length > 0 ? this.pathname.indexOf(RELATIVE_PATH) === 0 : true));	// Subfolder installs need this additional check
 			if ($(this).attr('data-ajaxify') === 'false') {
 				if (!internalLink) {
--- a/public/src/utils.js
+++ b/public/src/utils.js
@@ -431,6 +431,14 @@
 			}
 			return utils.props(obj[prop], newProps, value);
 		},
 		isInternalURI: function(targetLocation, referenceLocation, relative_path) {
 			return targetLocation.host === '' ||	// Relative paths are always internal links
 				(
 					targetLocation.host === referenceLocation.host && targetLocation.protocol === referenceLocation.protocol &&	// Otherwise need to check if protocol and host match
 					(relative_path.length > 0 ? targetLocation.pathname.indexOf(relative_path) === 0 : true)	// Subfolder installs need this additional check
 				);
 		}
 	};
--- a/src/controllers/authentication.js
+++ b/src/controllers/authentication.js
@@ -6,6 +6,7 @@ var passport = require('passport');
 var nconf = require('nconf');
 var validator = require('validator');
 var _ = require('underscore');
 var url = require('url');
 var db = require('../database');
 var meta = require('../meta');
@@ -168,7 +169,7 @@ authenticationController.registerComplete = function(req, res, next) {
 			} else {
 				res.redirect(nconf.get('relative_path') + '/');
 			}
-		}
+		};
 		async.parallel(callbacks, function(err) {
 			if (err) {
@@ -187,7 +188,7 @@ authenticationController.registerComplete = function(req, res, next) {
 	});
 };
-authenticationController.registerAbort = function(req, res, next) {
+authenticationController.registerAbort = function(req, res) {
 	// End the session and redirect to home
 	req.session.destroy(function() {
 		res.redirect(nconf.get('relative_path') + '/');
@@ -197,7 +198,11 @@ authenticationController.registerAbort = function(req, res, next) {
 authenticationController.login = function(req, res, next) {
 	// Handle returnTo data
 	if (req.body.hasOwnProperty('returnTo') && !req.session.returnTo) {
-		req.session.returnTo = req.body.returnTo;
+		// As req.body is data obtained via userland, it is untrusted, restrict to internal links only
 		var parsed = url.parse(req.body.returnTo);
 		var isInternal = utils.isInternalURI(url.parse(req.body.returnTo), nconf.get('url_parsed'), nconf.get('relative_path'));
 		req.session.returnTo = isInternal ? req.body.returnTo : nconf.get('url');
 	}
 	if (plugins.hasListeners('action:auth.overrideLogin')) {