Handle WEBROOT_REDIRECT better

main
Florent Daigniere 2 years ago
parent e1739befc0
commit 1831ca3b1e

@ -21,7 +21,7 @@ def login():
fields = [] fields = []
if flask.request.args.get('url'): if 'url' in flask.request.args and not 'homepage' in flask.request.url:
fields.append(form.submitAdmin) fields.append(form.submitAdmin)
else: else:
form.submitAdmin.label.text = form.submitAdmin.label.text + ' Admin' form.submitAdmin.label.text = form.submitAdmin.label.text + ' Admin'
@ -79,6 +79,8 @@ Redirect to the url passed in parameter if any; Ensure that this is not an open-
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
""" """
def _has_usable_redirect(): def _has_usable_redirect():
if 'homepage' in flask.request.url:
return None
if url := flask.request.args.get('url'): if url := flask.request.args.get('url'):
url = url_unquote(url) url = url_unquote(url)
target = urlparse(urljoin(flask.request.url, url)) target = urlparse(urljoin(flask.request.url, url))

@ -173,11 +173,15 @@ http {
} }
{% endif %} {% endif %}
location @sso_login {
return 302 /sso/login?url=$request_uri;
}
{% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %} {% if WEB_WEBMAIL != '/' and WEBROOT_REDIRECT != 'none' %}
location / { location / {
expires $expires; expires $expires;
{% if WEBROOT_REDIRECT %} {% if WEBROOT_REDIRECT %}
try_files $uri {{ WEBROOT_REDIRECT }}; try_files $uri {{ WEBROOT_REDIRECT }}?homepage;
{% else %} {% else %}
try_files $uri =404; try_files $uri =404;
{% endif %} {% endif %}
@ -192,7 +196,7 @@ http {
{% endif %} {% endif %}
include /etc/nginx/proxy.conf; include /etc/nginx/proxy.conf;
auth_request /internal/auth/user; auth_request /internal/auth/user;
error_page 403 @webmail_login; error_page 403 @sso_login;
proxy_pass http://$webmail; proxy_pass http://$webmail;
} }
@ -211,13 +215,9 @@ http {
auth_request_set $token $upstream_http_x_user_token; auth_request_set $token $upstream_http_x_user_token;
proxy_set_header X-Remote-User $user; proxy_set_header X-Remote-User $user;
proxy_set_header X-Remote-User-Token $token; proxy_set_header X-Remote-User-Token $token;
error_page 403 @webmail_login; error_page 403 @sso_login;
proxy_pass http://$webmail; proxy_pass http://$webmail;
} }
location @webmail_login {
return 302 /sso/login?url=$request_uri;
}
{% endif %} {% endif %}
{% if ADMIN %} {% if ADMIN %}
location {{ WEB_ADMIN }} { location {{ WEB_ADMIN }} {
@ -232,11 +232,7 @@ http {
proxy_set_header X-Real-IP ""; proxy_set_header X-Real-IP "";
proxy_set_header X-Forwarded-For ""; proxy_set_header X-Forwarded-For "";
proxy_pass http://$antispam; proxy_pass http://$antispam;
error_page 403 @antispam_login; error_page 403 @sso_login;
}
location @antispam_login {
return 302 /sso/login?url=$request_uri;
} }
{% endif %} {% endif %}

Loading…
Cancel
Save