From 27c128984a6ffe528117dfabdf456f43d6c7e096 Mon Sep 17 00:00:00 2001 From: Mike Rylander Date: Thu, 1 Dec 2022 14:13:35 -0500 Subject: [PATCH] LP#1908576: Restrict login redirection This commit implements a new global flag: opac.login_redirect_domains When this flag is enabled, redirection from login via redirect_to will be restricted to local URLs. For local URLs, they must either start with a / (provide an absolute path) or the hostname in the URL must match the current hostname and have a scheme of http, https, ftp, or ftps. The value for the global flag can be set to a list of comma-separated domain names. Redirection to these domains, and subdomains/hosts thereof, will also be allowed. For all non-local URLs allowed by the global flag value, the scheme must be one of http, https, ftp, or ftps. Signed-off-by: Mike Rylander Signed-off-by: Jason Stephenson Signed-off-by: Jason Boyer --- .../src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm | 23 ++++++++++++++++++++++ Open-ILS/src/sql/Pg/950.data.seed-values.sql | 14 +++++++++---- .../Pg/upgrade/XXXX.data.login_redirect_regexp.sql | 21 ++++++++++++++++++++ 3 files changed, 54 insertions(+), 4 deletions(-) create mode 100644 Open-ILS/src/sql/Pg/upgrade/XXXX.data.login_redirect_regexp.sql diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm index f5c59a968c..3df5c1d91e 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm @@ -716,7 +716,30 @@ sub load_login { ); } + # TODO: maybe move this logic to generic_redirect()? my $redirect_to = $cgi->param('redirect_to') || $acct; + if (my $login_redirect_gf = $self->editor->retrieve_config_global_flag('opac.login_redirect_domains')) { + if ($login_redirect_gf->enabled eq 't') { + + my @redir_hosts = (); + if ($login_redirect_gf->value) { + @redir_hosts = map { '(?:[^/.]+\.)*' . quotemeta($_) } grep { $_ } split(/,\s*/, $login_redirect_gf->value); + } + unshift @redir_hosts, quotemeta($ctx->{hostname}); + + my $hn = join('|', @redir_hosts); + my $relative_redir = qr#^(?:(?:(?:(?:f|ht)tps?:)?(?://(?:$hn))(?:/|$))|/$|/[^/]+)#; + + if ($redirect_to !~ $relative_redir) { + $logger->warn( + "Login redirection of [$redirect_to] ". + "disallowed based on Global Flag opac.". + "login_redirect_domains RE [$relative_redir]" + ); + $redirect_to = $acct; # fall back to myopac/main + } + } + } return $self->_perform_any_sso_required($response, $redirect_to, $cookie_list) diff --git a/Open-ILS/src/sql/Pg/950.data.seed-values.sql b/Open-ILS/src/sql/Pg/950.data.seed-values.sql index ec54030d8b..9de9799935 100644 --- a/Open-ILS/src/sql/Pg/950.data.seed-values.sql +++ b/Open-ILS/src/sql/Pg/950.data.seed-values.sql @@ -23281,10 +23281,7 @@ VALUES ( 'Limit the number of global concurrent matching search queries', 'cgf', 'label' ) -); - -INSERT INTO config.global_flag (name, value, enabled, label) -VALUES ( +), ( 'opac.max_concurrent_search.ip', '0', TRUE, @@ -23293,6 +23290,15 @@ VALUES ( 'Limit the number of global concurrent searches per client IP address', 'cgf', 'label' ) +), ( + 'opac.login_redirect_domains', + '', + TRUE, + oils_i18n_gettext( + 'opac.login_redirect_domains', + 'Restrict post-login redirection to local URLs, or those that match the supplied comma-separated list of foreign domains or host names.', + 'cgf', 'label' + ) ); INSERT INTO config.global_flag (name, enabled, label) VALUES ( diff --git a/Open-ILS/src/sql/Pg/upgrade/XXXX.data.login_redirect_regexp.sql b/Open-ILS/src/sql/Pg/upgrade/XXXX.data.login_redirect_regexp.sql new file mode 100644 index 0000000000..c8a5f98f3a --- /dev/null +++ b/Open-ILS/src/sql/Pg/upgrade/XXXX.data.login_redirect_regexp.sql @@ -0,0 +1,21 @@ +BEGIN; + +-- check whether patch can be applied +SELECT evergreen.upgrade_deps_block_check('XXXX', :eg_version); + +-- 950.data.seed-values.sql + +INSERT INTO config.global_flag (name, value, enabled, label) +VALUES ( + 'opac.login_redirect_domains', + '', + TRUE, + oils_i18n_gettext( + 'opac.login_redirect_domains', + 'Restrict post-login redirection to local URLs, or those that match the supplied comma-separated list of foreign domains or host names.', + 'cgf', 'label' + ) +); + +COMMIT; + -- 2.11.0