diff options
author | John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com> | 2020-04-10 09:50:15 +0300 |
---|---|---|
committer | backportbot[bot] <backportbot[bot]@users.noreply.github.com> | 2020-04-15 12:30:10 +0300 |
commit | 8d72a2adef0f858bef4bcbc4f8f8944dc80a82f6 (patch) | |
tree | dcae7588c692ca809a981ea25a2484c6caa8c06b | |
parent | 7d412b5733add714f589b761fa36fcc98039c2eb (diff) |
Fix absolute redirect
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
-rw-r--r-- | core/Controller/LoginController.php | 2 | ||||
-rw-r--r-- | tests/Core/Controller/LoginControllerTest.php | 6 |
2 files changed, 4 insertions, 4 deletions
diff --git a/core/Controller/LoginController.php b/core/Controller/LoginController.php index 13aef8f67ab..6446941ff9c 100644 --- a/core/Controller/LoginController.php +++ b/core/Controller/LoginController.php @@ -253,7 +253,7 @@ class LoginController extends Controller { private function generateRedirect(?string $redirectUrl): RedirectResponse { if ($redirectUrl !== null && $this->userSession->isLoggedIn()) { - $location = $this->urlGenerator->getAbsoluteURL(urldecode($redirectUrl)); + $location = $this->urlGenerator->getAbsoluteURL($redirectUrl); // Deny the redirect if the URL contains a @ // This prevents unvalidated redirects like ?redirect_url=:user@domain.com if (strpos($location, '@') === false) { diff --git a/tests/Core/Controller/LoginControllerTest.php b/tests/Core/Controller/LoginControllerTest.php index 6a6795a8e82..83a30def6b8 100644 --- a/tests/Core/Controller/LoginControllerTest.php +++ b/tests/Core/Controller/LoginControllerTest.php @@ -503,7 +503,7 @@ class LoginControllerTest extends TestCase { ->method('getUID') ->will($this->returnValue('jane')); $password = 'secret'; - $originalUrl = 'another%20url'; + $originalUrl = 'another url'; $redirectUrl = 'http://localhost/another url'; $this->request @@ -545,7 +545,7 @@ class LoginControllerTest extends TestCase { $this->request, $user, $password, - '%2Fapps%2Fmail' + '/apps/mail' ); $loginResult = LoginResult::success($loginData); $this->chain->expects($this->once()) @@ -561,7 +561,7 @@ class LoginControllerTest extends TestCase { ->will($this->returnValue($redirectUrl)); $expected = new \OCP\AppFramework\Http\RedirectResponse($redirectUrl); - $response = $this->loginController->tryLogin($user, $password, '%2Fapps%2Fmail'); + $response = $this->loginController->tryLogin($user, $password, '/apps/mail'); $this->assertEquals($expected, $response); } |