From 61eb134181e9131c9fd35bcb518ccaaf2935cc7a Mon Sep 17 00:00:00 2001 From: Sam Date: Fri, 16 Dec 2016 13:37:44 +1100 Subject: [PATCH] FEATURE: setting to allow arbitrary redirects from sso origin if sso_allows_all_return_paths is set to true you can redirect off-site from sso success --- app/controllers/session_controller.rb | 2 +- config/locales/server.en.yml | 1 + config/site_settings.yml | 1 + spec/controllers/session_controller_spec.rb | 13 +++++++++++++ 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb index a73541a3fb9..dbe443a2faa 100644 --- a/app/controllers/session_controller.rb +++ b/app/controllers/session_controller.rb @@ -118,7 +118,7 @@ class SessionController < ApplicationController if return_path !~ /^\/[^\/]/ begin uri = URI(return_path) - return_path = path("/") unless uri.host == Discourse.current_hostname + return_path = path("/") unless SiteSetting.sso_allows_all_return_paths || uri.host == Discourse.current_hostname rescue return_path = path("/") end diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index 2260ce3ab94..9888cae20b9 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -1020,6 +1020,7 @@ en: sso_overrides_name: "Overrides local full name with external site full name from SSO payload on every login, and prevent local changes." sso_overrides_avatar: "Overrides user avatar with external site avatar from SSO payload. If enabled, disabling allow_uploaded_avatars is highly recommended" sso_not_approved_url: "Redirect unapproved SSO accounts to this URL" + sso_allows_all_return_paths: "Do not restrict the domain for return_paths provided by SSO (by default return path must be on current site)" enable_local_logins: "Enable local username and password login based accounts. (Note: this must be enabled for invites to work)" allow_new_registrations: "Allow new user registrations. Uncheck this to prevent anyone from creating a new account." diff --git a/config/site_settings.yml b/config/site_settings.yml index 1d4eaee0a33..ab87f039bb6 100644 --- a/config/site_settings.yml +++ b/config/site_settings.yml @@ -298,6 +298,7 @@ login: enable_sso: client: true default: false + sso_allows_all_return_paths: false enable_sso_provider: false verbose_sso_logging: false sso_url: diff --git a/spec/controllers/session_controller_spec.rb b/spec/controllers/session_controller_spec.rb index 0354ff813dd..50858f7acdb 100644 --- a/spec/controllers/session_controller_spec.rb +++ b/spec/controllers/session_controller_spec.rb @@ -141,6 +141,19 @@ describe SessionController do expect(response).to redirect_to('/b/') end + it 'redirects to random url if it is allowed' do + SiteSetting.sso_allows_all_return_paths = true + + sso = get_sso('https://gusundtrout.com') + sso.external_id = '666' # the number of the beast + sso.email = 'bob@bob.com' + sso.name = 'Sam Saffron' + sso.username = 'sam' + + get :sso_login, Rack::Utils.parse_query(sso.payload) + expect(response).to redirect_to('https://gusundtrout.com') + end + it 'redirects to root if the host of the return_path is different' do sso = get_sso('//eviltrout.com') sso.external_id = '666' # the number of the beast