From 37ced7df0531accb4f091c78258ff98946d062c9 Mon Sep 17 00:00:00 2001 From: David Cook Date: Thu, 10 Nov 2022 00:00:37 +0000 Subject: [PATCH] Bug 31699: (follow-up) Protect more against open redirects This change checks that the OPACBaseURL exists, and uses its scheme and authority to rewrite the URL passed through the "return" param. Signed-off-by: Martin Renvoize Signed-off-by: Tomas Cohen Arazi --- opac/opac-user.pl | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/opac/opac-user.pl b/opac/opac-user.pl index a02e7f16ac..d787e3f612 100755 --- a/opac/opac-user.pl +++ b/opac/opac-user.pl @@ -20,6 +20,7 @@ use Modern::Perl; use CGI qw ( -utf8 ); +use URI; use C4::Auth qw( get_template_and_user ); use C4::Koha qw( @@ -428,12 +429,19 @@ if ($search_query) { # back to the page we triggered the login from my $return = $query->param('return'); if ( $return ) { - my $uri = C4::Context->preference('OPACBaseURL'); - $uri .= $return; - print $query->redirect( - -uri => $uri, - -cookie => $cookie, - ); + my $uri_syspref = C4::Context->preference('OPACBaseURL'); + if ( $uri_syspref ){ + my $uri = URI->new($uri_syspref); + if ( $uri->isa('URI::http') && $uri->host() ){ + my $return_uri = URI->new($return); + $return_uri->scheme( $uri->scheme() ); + $return_uri->authority( $uri->authority() ); + print $query->redirect( + -uri => "$return_uri", + -cookie => $cookie, + ); + } + } } output_html_with_http_headers $query, $cookie, $template->output, undef, { force_no_caching => 1 }; -- 2.39.5