safer redirects with login/logout

* properly escape goto parameter * do not redirect to anywhere, only to the same server, no query parameters This should still allow valid targets, like `/account.html`, `/boardname/manage/whatever` while disallow things like `https://othersite.com`.
4 years ago · 6f1ab5292f
parent d6567bdbbe
commit 6f1ab5292f
2 changed files with 7 additions and 3 deletions
--- a/helpers/checks/isloggedin.js
+++ b/helpers/checks/isloggedin.js
@ -7,7 +7,7 @@ module.exports = async (req, res, next) => {
 	let goto;
 	if (req.method === 'GET' && req.path) {
 		//coming from a GET page isLoggedIn middleware check
-		goto = req.path;
+		goto = encodeURIComponent(req.path);
 	}
 	return res.redirect(`/login.html${goto ? '?goto='+goto : ''}`);
 }
--- a/models/forms/login.js
+++ b/models/forms/login.js
@ -8,8 +8,12 @@ module.exports = async (req, res, next) => {

 	const username = req.body.username.toLowerCase();
 	const password = req.body.password;
-	const goto = req.body.goto || '/account.html';
-	const failRedirect = `/login.html${goto ? '?goto='+goto : ''}`
+	let goto = req.body.goto;
+	// we don't want to redirect the user to random sites
+	if (goto == null || !/^\/[0-9a-zA-Z][0-9a-zA-Z._/-]*$/.test(goto)) {
+		goto = '/account.html';
+	}
+	const failRedirect = `/login.html${goto ? '?goto='+encodeURIComponent(goto) : ''}`

 	//fetch an account
 	const account = await Accounts.findOne(username);