From 1831ca3b1e46a25ae139238250cdc79dada74a30 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Tue, 14 Mar 2023 09:40:43 +0100 Subject: [PATCH] Handle WEBROOT_REDIRECT better --- core/admin/mailu/sso/views/base.py | 4 +++- core/nginx/conf/nginx.conf | 20 ++++++++------------ 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py index 1f7b776e..ae2232ce 100644 --- a/core/admin/mailu/sso/views/base.py +++ b/core/admin/mailu/sso/views/base.py @@ -21,7 +21,7 @@ def login(): fields = [] - if flask.request.args.get('url'): + if 'url' in flask.request.args and not 'homepage' in flask.request.url: fields.append(form.submitAdmin) else: form.submitAdmin.label.text = form.submitAdmin.label.text + ' Admin' @@ -79,6 +79,8 @@ Redirect to the url passed in parameter if any; Ensure that this is not an open- https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html """ def _has_usable_redirect(): + if 'homepage' in flask.request.url: + return None if url := flask.request.args.get('url'): url = url_unquote(url) target = urlparse(urljoin(flask.request.url, url)) diff --git a/core/nginx/conf/nginx.conf b/core/nginx/conf/nginx.conf index 9aab226b..85f22e45 100644 --- a/core/nginx/conf/nginx.conf +++ b/core/nginx/conf/nginx.conf @@ -173,11 +173,15 @@ http { } {% endif %} + location @sso_login { + return 302 /sso/login?url=$request_uri; + } + {% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %} location / { expires $expires; {% if WEBROOT_REDIRECT %} - try_files $uri {{ WEBROOT_REDIRECT }}; + try_files $uri {{ WEBROOT_REDIRECT }}?homepage; {% else %} try_files $uri =404; {% endif %} @@ -192,7 +196,7 @@ http { {% endif %} include /etc/nginx/proxy.conf; auth_request /internal/auth/user; - error_page 403 @webmail_login; + error_page 403 @sso_login; proxy_pass http://$webmail; } @@ -211,13 +215,9 @@ http { auth_request_set $token $upstream_http_x_user_token; proxy_set_header X-Remote-User $user; proxy_set_header X-Remote-User-Token $token; - error_page 403 @webmail_login; + error_page 403 @sso_login; proxy_pass http://$webmail; } - - location @webmail_login { - return 302 /sso/login?url=$request_uri; - } {% endif %} {% if ADMIN %} location {{ WEB_ADMIN }} { @@ -232,11 +232,7 @@ http { proxy_set_header X-Real-IP ""; proxy_set_header X-Forwarded-For ""; proxy_pass http://$antispam; - error_page 403 @antispam_login; - } - - location @antispam_login { - return 302 /sso/login?url=$request_uri; + error_page 403 @sso_login; } {% endif %}