Improve redirect avoidance for /sso paths

e6b3310577582fc702913ac084d41bdf7006439d was missing an ege case where return url included current_hostname
2025-02-20 18:58:10 +00:00 · 2018-11-09 17:03:42 +11:00 · 2018-11-09 17:03:42 +11:00 · 3ae4fcd1f7
commit 3ae4fcd1f7
parent 7a53e0b186
2 changed files with 14 additions and 1 deletions
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@ -162,7 +162,11 @@ class SessionController < ApplicationController
        if return_path !~ /^\/[^\/]/
          begin
            uri = URI(return_path)
-            return_path = path("/") unless SiteSetting.sso_allows_all_return_paths || uri.host == Discourse.current_hostname
+            if (uri.hostname == Discourse.current_hostname)
+              return_path = uri.request_uri
+            elsif !SiteSetting.sso_allows_all_return_paths
+              return_path = path("/")
+            end
          rescue
            return_path = path("/")
          end
--- a/spec/requests/session_controller_spec.rb
+++ b/spec/requests/session_controller_spec.rb
@ -311,6 +311,15 @@ RSpec.describe SessionController do

      get "/session/sso_login", params: Rack::Utils.parse_query(sso.payload), headers: headers
      expect(response).to redirect_to('/')
+
+      sso = get_sso("http://#{Discourse.current_hostname}/sso?bla=1")
+      sso.email = user.email
+      sso.external_id = 'abc'
+      sso.username = 'sam'
+
+      get "/session/sso_login", params: Rack::Utils.parse_query(sso.payload), headers: headers
+      expect(response).to redirect_to('/')
+
    end

    it 'can take over an account' do