From f20208fb4b277cc941f64ce884c4dd27bb30fc5b Mon Sep 17 00:00:00 2001 From: Dimitri Huisman Date: Sat, 18 Mar 2023 09:05:18 +0000 Subject: [PATCH] Fix error in check for proxy scenario --- core/admin/mailu/sso/views/base.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/core/admin/mailu/sso/views/base.py b/core/admin/mailu/sso/views/base.py index 9f50da7d..43237c75 100644 --- a/core/admin/mailu/sso/views/base.py +++ b/core/admin/mailu/sso/views/base.py @@ -78,8 +78,8 @@ def logout(): Redirect to the url passed in parameter if any; Ensure that this is not an open-redirect too... https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html """ -def _has_usable_redirect(): - if 'homepage' in flask.request.url and not (flask.request.headers.get(app.config['PROXY_AUTH_HEADER']) and not 'noproxyauth'): +def _has_usable_redirect(is_proxied=False): + if 'homepage' in flask.request.url and not is_proxied: return None if url := flask.request.args.get('url'): url = url_unquote(url) @@ -101,7 +101,7 @@ def _proxy(): if not email: return flask.abort(500, 'No %s header' % app.config['PROXY_AUTH_HEADER']) - url = _has_usable_redirect() or app.config['WEB_ADMIN'] + url = _has_usable_redirect(True) or app.config['WEB_ADMIN'] user = models.User.get(email) if user: