FEATURE: setting to allow arbitrary redirects from sso origin

if sso_allows_all_return_paths is set to true you can redirect off-site from sso success
discourse · Dec 16, 2016 · 61eb134 · 61eb134
1 parent 6ff309a
commit 61eb134
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 1 deletion.
diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb
@@ -118,7 +118,7 @@ def sso_login
         if return_path !~ /^\/[^\/]/
           begin
             uri = URI(return_path)
-            return_path = path("/") unless uri.host == Discourse.current_hostname
+            return_path = path("/") unless SiteSetting.sso_allows_all_return_paths || uri.host == Discourse.current_hostname
           rescue
             return_path = path("/")
           end

diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
@@ -1020,6 +1020,7 @@ en:
     sso_overrides_name: "Overrides local full name with external site full name from SSO payload on every login, and prevent local changes."
     sso_overrides_avatar: "Overrides user avatar with external site avatar from SSO payload. If enabled, disabling allow_uploaded_avatars is highly recommended"
     sso_not_approved_url: "Redirect unapproved SSO accounts to this URL"
+    sso_allows_all_return_paths: "Do not restrict the domain for return_paths provided by SSO (by default return path must be on current site)"
 
     enable_local_logins: "Enable local username and password login based accounts. (Note: this must be enabled for invites to work)"
     allow_new_registrations: "Allow new user registrations. Uncheck this to prevent anyone from creating a new account."

diff --git a/config/site_settings.yml b/config/site_settings.yml
@@ -298,6 +298,7 @@ login:
   enable_sso:
     client: true
     default: false
+  sso_allows_all_return_paths: false
   enable_sso_provider: false
   verbose_sso_logging: false
   sso_url:

diff --git a/spec/controllers/session_controller_spec.rb b/spec/controllers/session_controller_spec.rb
@@ -141,6 +141,19 @@ def sso_for_ip_specs
       expect(response).to redirect_to('/b/')
     end
 
+    it 'redirects to random url if it is allowed' do
+      SiteSetting.sso_allows_all_return_paths = true
+
+      sso = get_sso('https://gusundtrout.com')
+      sso.external_id = '666' # the number of the beast
+      sso.email = 'bob@bob.com'
+      sso.name = 'Sam Saffron'
+      sso.username = 'sam'
+
+      get :sso_login, Rack::Utils.parse_query(sso.payload)
+      expect(response).to redirect_to('https://gusundtrout.com')
+    end
+
     it 'redirects to root if the host of the return_path is different' do
       sso = get_sso('//eviltrout.com')
       sso.external_id = '666' # the number of the beast