Updated private-sites to not redirect to full urls

no-issue - Parse redirects as URL with blog as base - Redirect to the pathname property of parsed URL Credits: @j3ssie
TryGhost · Nov 7, 2018 · e70fb1e · e70fb1e
1 parent faa1de1
commit e70fb1e
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/core/server/apps/private-blogging/lib/middleware.js b/core/server/apps/private-blogging/lib/middleware.js
@@ -1,5 +1,6 @@
 var _           = require('lodash'),
     fs          = require('fs'),
+    url         = require('url'),
     config      = require('../../../config'),
     crypto      = require('crypto'),
     path        = require('path'),
@@ -27,6 +28,15 @@ function verifySessionHash(salt, hash) {
     });
 }
 
+function getRedirectUrl(query) {
+    var redirect = decodeURIComponent(query ? query.r : '/');
+    try {
+        return url.parse(redirect, config.urlFor('home', true)).pathname;
+    } catch (e) {
+        return '/';
+    }
+}
+
 privateBlogging = {
     checkIsPrivate: function checkIsPrivate(req, res, next) {
         return api.settings.read({context: {internal: true}, key: 'isPrivate'}).then(function then(response) {
@@ -120,14 +130,14 @@ privateBlogging = {
             var pass = response.settings[0],
                 hasher = crypto.createHash('sha256'),
                 salt = Date.now().toString(),
-                forward = req.query && req.query.r ? req.query.r : '/';
+                forward = getRedirectUrl(req.query);
 
             if (pass.value === bodyPass) {
                 hasher.update(bodyPass + salt, 'utf8');
                 req.session.token = hasher.digest('hex');
                 req.session.salt = salt;
 
-                return res.redirect(config.urlFor({relativeUrl: decodeURIComponent(forward)}));
+                return res.redirect(config.urlFor({relativeUrl: forward}));
             } else {
                 res.error = {
                     message: i18n.t('errors.middleware.privateblogging.wrongPassword')

diff --git a/core/server/apps/private-blogging/tests/middleware_spec.js b/core/server/apps/private-blogging/tests/middleware_spec.js
@@ -243,6 +243,20 @@ describe('Private Blogging', function () {
                     }).catch(done);
                 });
 
+                it('authenticateProtection should redirect to "/" if r param is a full url', function () {
+                    req.body = {password: 'rightpassword'};
+                    req.session = {};
+                    req.query = {
+                        r: encodeURIComponent('http://britney.com')
+                    };
+                    res.redirect = sandbox.spy();
+
+                    privateBlogging.authenticateProtection(req, res, next).then(function () {
+                        res.redirect.called.should.be.true();
+                        res.redirect.args[0][0].should.be.equal('/');
+                    });
+                });
+
                 it('authenticateProtection should return next if password is incorrect', function (done) {
                     req.body = {password: 'wrongpassword'};