From 81645f24e91d71c303ea4f730a7c7ce05dd89dd6 Mon Sep 17 00:00:00 2001 From: Mike Rylander Date: Thu, 1 Dec 2022 14:13:35 -0500 Subject: [PATCH] LP#1908576: Restrict login redirection This commit implements a new global flag: opac.login_redirect_domains When this flag is enabled, redirection from login via redirect_to will be restricted to local URLs. For local URLs, they must either start with a / (provide an absolute path) or the hostname in the URL must match the current hostname and have a scheme of http, https, ftp, or ftps. The value for the global flag can be set to a list of comma-separated domain names. Redirection to these domains, and subdomains/hosts thereof, will also be allowed. For all non-local URLs allowed by the global flag value, the scheme must be one of http, https, ftp, or ftps. Signed-off-by: Mike Rylander Signed-off-by: Jason Stephenson Signed-off-by: Jason Boyer --- .../src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm | 27 +++++++++++++++++++++- Open-ILS/src/sql/Pg/950.data.seed-values.sql | 14 +++++++---- .../Pg/upgrade/XXXX.data.login_redirect_regexp.sql | 21 +++++++++++++++++ 3 files changed, 57 insertions(+), 5 deletions(-) create mode 100644 Open-ILS/src/sql/Pg/upgrade/XXXX.data.login_redirect_regexp.sql diff --git a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm index ecf6cda06e..ca64ff505b 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm @@ -734,8 +734,33 @@ sub load_login { ); } + # TODO: maybe move this logic to generic_redirect()? + my $redirect_to = $cgi->param('redirect_to') || $acct; + if (my $login_redirect_gf = $self->editor->retrieve_config_global_flag('opac.login_redirect_domains')) { + if ($login_redirect_gf->enabled eq 't') { + + my @redir_hosts = (); + if ($login_redirect_gf->value) { + @redir_hosts = map { '(?:[^/.]+\.)*' . quotemeta($_) } grep { $_ } split(/,\s*/, $login_redirect_gf->value); + } + unshift @redir_hosts, quotemeta($ctx->{hostname}); + + my $hn = join('|', @redir_hosts); + my $relative_redir = qr#^(?:(?:(?:(?:f|ht)tps?:)?(?://(?:$hn))(?:/|$))|/$|/[^/]+)#; + + if ($redirect_to !~ $relative_redir) { + $logger->warn( + "Login redirection of [$redirect_to] ". + "disallowed based on Global Flag opac.". + "login_redirect_domains RE [$relative_redir]" + ); + $redirect_to = $acct; # fall back to myopac/main + } + } + } + return $self->generic_redirect( - $cgi->param('redirect_to') || $acct, + $redirect_to, $cookie_list ); } diff --git a/Open-ILS/src/sql/Pg/950.data.seed-values.sql b/Open-ILS/src/sql/Pg/950.data.seed-values.sql index dd9793f043..71eb8180b1 100644 --- a/Open-ILS/src/sql/Pg/950.data.seed-values.sql +++ b/Open-ILS/src/sql/Pg/950.data.seed-values.sql @@ -22087,10 +22087,7 @@ VALUES ( 'Limit the number of global concurrent matching search queries', 'cgf', 'label' ) -); - -INSERT INTO config.global_flag (name, value, enabled, label) -VALUES ( +), ( 'opac.max_concurrent_search.ip', '0', TRUE, @@ -22099,5 +22096,14 @@ VALUES ( 'Limit the number of global concurrent searches per client IP address', 'cgf', 'label' ) +), ( + 'opac.login_redirect_domains', + '', + TRUE, + oils_i18n_gettext( + 'opac.login_redirect_domains', + 'Restrict post-login redirection to local URLs, or those that match the supplied comma-separated list of foreign domains or host names.', + 'cgf', 'label' + ) ); diff --git a/Open-ILS/src/sql/Pg/upgrade/XXXX.data.login_redirect_regexp.sql b/Open-ILS/src/sql/Pg/upgrade/XXXX.data.login_redirect_regexp.sql new file mode 100644 index 0000000000..c8a5f98f3a --- /dev/null +++ b/Open-ILS/src/sql/Pg/upgrade/XXXX.data.login_redirect_regexp.sql @@ -0,0 +1,21 @@ +BEGIN; + +-- check whether patch can be applied +SELECT evergreen.upgrade_deps_block_check('XXXX', :eg_version); + +-- 950.data.seed-values.sql + +INSERT INTO config.global_flag (name, value, enabled, label) +VALUES ( + 'opac.login_redirect_domains', + '', + TRUE, + oils_i18n_gettext( + 'opac.login_redirect_domains', + 'Restrict post-login redirection to local URLs, or those that match the supplied comma-separated list of foreign domains or host names.', + 'cgf', 'label' + ) +); + +COMMIT; + -- 2.11.0