Fix previous url, also in Safari

This commit is contained in:
James Cole 2021-10-03 06:06:49 +02:00
parent 4e7a27dd65
commit ab6707b9d9
No known key found for this signature in database
GPG Key ID: BDE6667570EADBD5
2 changed files with 61 additions and 8 deletions

View File

@ -42,16 +42,20 @@ class StartFireflySession extends StartSession
*/
protected function storeCurrentUrl(Request $request, $session): void
{
$url = $request->fullUrl();
$forbiddenWords = strpos($url, 'offline') || strpos($url, 'jscript') || strpos($url, 'delete') || strpos($url, '/login') || strpos($url, '/json') || strpos($url, 'serviceworker') || strpos($url, '/attachments/view');
$url = $request->fullUrl();
$safeUrl = app('steam')->getSafeUrl($url, route('index'));
if (false === $forbiddenWords
&& 'GET' === $request->method()
&& !$request->ajax()) {
//Log::debug(sprintf('Redirect is now "%s".', $url));
$session->setPreviousUrl($url);
if ($url !== $safeUrl) {
//Log::debug(sprintf('storeCurrentUrl: converted "%s" to "%s", so will not use it.', $url, $safeUrl));
return;
}
//Log::debug(sprintf('Refuse to set "%s" as current URL.', $url));
if ('GET' === $request->method() && !$request->ajax()) {
//Log::debug(sprintf('storeCurrentUrl: Redirect is now "%s".', $safeUrl));
$session->setPreviousUrl($safeUrl);
return;
}
//Log::debug(sprintf('storeCurrentUrl: Refuse to set "%s" as current URL.', $safeUrl));
}
}

View File

@ -31,7 +31,9 @@ use FireflyIII\Models\TransactionCurrency;
use FireflyIII\Repositories\Account\AccountRepositoryInterface;
use Illuminate\Support\Collection;
use JsonException;
use Log;
use stdClass;
use Str;
/**
* Class Steam.
@ -41,6 +43,53 @@ use stdClass;
class Steam
{
/**
* Returns the previous URL but refuses to send you to specific URLs.
*
* - outside domain
* - to JS files, API or JSON routes
*
* Uses the session's previousUrl() function as inspired by GitHub user @z1r0-
*
* session()->previousUrl() uses getSafeUrl() so we can safely return it:
*
* @return string
*/
public function getSafePreviousUrl(): string
{
//Log::debug(sprintf('getSafePreviousUrl: "%s"', session()->previousUrl()));
return session()->previousUrl() ?? route('index');
}
/**
* Make sure URL is safe.
*
* @param string $unknownUrl
* @param string $safeUrl
*
* @return string
*/
public function getSafeUrl(string $unknownUrl, string $safeUrl): string
{
//Log::debug(sprintf('getSafeUrl(%s, %s)', $unknownUrl, $safeUrl));
$returnUrl = $safeUrl;
$unknownHost = parse_url($unknownUrl, PHP_URL_HOST);
$safeHost = parse_url($safeUrl, PHP_URL_HOST);
if (null !== $unknownHost && $unknownHost === $safeHost) {
$returnUrl = $unknownUrl;
}
// URL must not lead to weird pages
$forbiddenWords = ['jscript', 'json', 'debug', 'serviceworker', 'offline', 'delete', '/login', '/attachments/view'];
if (Str::contains($returnUrl, $forbiddenWords)) {
$returnUrl = $safeUrl;
}
return $returnUrl;
}
/**
* @param Account $account
* @param Carbon $date