search

flarum / framework

Simple forum software for building great communities.
http://flarum.org/
6.29k stars 832 forks source link

[1.x] fix: Logout controller allows open redirects #3948

Closed imorland closed 9 months ago

imorland commented 9 months ago

Prevents open redirects on the LogoutController

By default, only return URL's on the forum host are permitted. Additional domains may be whitelisted using config.php:

...
  'redirectDomains' =>
  array (
    'trusted.com`,
    'another-trusted.org'
  )
imorland commented 9 months ago

Would be nice to see an integration test, but otherwise the code makes sense!

I did try, however we need to make some changes to flarum/testing in order to pass the query string, as it looks like this is not currently supported.

For example:

    public function logout_with_forum_redirect(string $returnUrl)
    {
        $encodedReturnUrl = urlencode($returnUrl);

        $response = $this->send(
            $this->request('GET', '/logout?return=' . $encodedReturnUrl)
        );

        $this->assertEquals(302, $response->getStatusCode());
        $this->assertEquals($returnUrl, $response->getHeaderLine('location'));
    }

This is a test I attempted to write for this, but we currently don't have the ability to pass the query, due to https://github.com/flarum/framework/blob/45a8b572e3bbedc80296e07d3125ba2f3c63f077/php-packages/testing/src/integration/TestCase.php#L269