From b0a0847a8eb02ae21f755942799a81c6e3475e64 Mon Sep 17 00:00:00 2001
From: James Feist <james.feist@linux.intel.com>
Date: Mon, 10 Feb 2020 09:25:07 -0800
Subject: Block forwarding to non-local url

Currently we don't protect against forwarding to remote
url, so things like:

https://<bmc-address>/#/login?next=http:%2F%2Fyahoo.com

can be used to forward an unsuspecting user to a different
url. This fixes that issue.

Tested: Local redirects still work, above link does not

Closes #109

Change-Id: I4d6c52880156802860f405af43037fb84235912f
Signed-off-by: James Feist <james.feist@linux.intel.com>
---
 app/login/controllers/login-controller.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/login/controllers/login-controller.js b/app/login/controllers/login-controller.js
index 7867a0c..350429b 100644
--- a/app/login/controllers/login-controller.js
+++ b/app/login/controllers/login-controller.js
@@ -40,7 +40,9 @@ window.angular && (function(angular) {
             if (status) {
               $scope.$emit('user-logged-in', {});
               var next = $location.search().next;
-              if (next === undefined || next == null) {
+              // don't allow forwarding to non-local urls
+              if (next === undefined || next == null ||
+                  next.indexOf('//') >= 0) {
                 $window.location.hash = '#/overview/server';
               } else {
                 $window.location.href = next;
-- 
cgit v1.2.1