Handle WEBROOT_REDIRECT better

main
Florent Daigniere 2 years ago
parent e1739befc0
commit 1831ca3b1e

@ -21,7 +21,7 @@ def login():
fields = []
if flask.request.args.get('url'):
if 'url' in flask.request.args and not 'homepage' in flask.request.url:
fields.append(form.submitAdmin)
else:
form.submitAdmin.label.text = form.submitAdmin.label.text + ' Admin'
@ -79,6 +79,8 @@ Redirect to the url passed in parameter if any; Ensure that this is not an open-
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
"""
def _has_usable_redirect():
if 'homepage' in flask.request.url:
return None
if url := flask.request.args.get('url'):
url = url_unquote(url)
target = urlparse(urljoin(flask.request.url, url))

@ -173,11 +173,15 @@ http {
}
{% endif %}
location @sso_login {
return 302 /sso/login?url=$request_uri;
}
{% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %}
location / {
expires $expires;
{% if WEBROOT_REDIRECT %}
try_files $uri {{ WEBROOT_REDIRECT }};
try_files $uri {{ WEBROOT_REDIRECT }}?homepage;
{% else %}
try_files $uri =404;
{% endif %}
@ -192,7 +196,7 @@ http {
{% endif %}
include /etc/nginx/proxy.conf;
auth_request /internal/auth/user;
error_page 403 @webmail_login;
error_page 403 @sso_login;
proxy_pass http://$webmail;
}
@ -211,13 +215,9 @@ http {
auth_request_set $token $upstream_http_x_user_token;
proxy_set_header X-Remote-User $user;
proxy_set_header X-Remote-User-Token $token;
error_page 403 @webmail_login;
error_page 403 @sso_login;
proxy_pass http://$webmail;
}
location @webmail_login {
return 302 /sso/login?url=$request_uri;
}
{% endif %}
{% if ADMIN %}
location {{ WEB_ADMIN }} {
@ -232,11 +232,7 @@ http {
proxy_set_header X-Real-IP "";
proxy_set_header X-Forwarded-For "";
proxy_pass http://$antispam;
error_page 403 @antispam_login;
}
location @antispam_login {
return 302 /sso/login?url=$request_uri;
error_page 403 @sso_login;
}
{% endif %}

Loading…
Cancel
Save