commit b0a0847a8eb02ae21f755942799a81c6e3475e64
author James Feist <james.feist@linux.intel.com> Mon Feb 10 09:25:07 2020 -0800
committer Gunnar Mills <gmills@us.ibm.com> Tue Feb 11 16:43:02 2020 +0000
tree 11308d08bd2e0ad95d47fd8ffbad934fc2e58375
parent 425ed044e9422ad17e8d1924387620cd3d925f37

Block forwarding to non-local url

Currently we don't protect against forwarding to remote
url, so things like:

https://<bmc-address>/#/login?next=http:%2F%2Fyahoo.com

can be used to forward an unsuspecting user to a different
url. This fixes that issue.

Tested: Local redirects still work, above link does not

Closes #109

Change-Id: I4d6c52880156802860f405af43037fb84235912f
Signed-off-by: James Feist <james.feist@linux.intel.com>

app/login/controllers/login-controller.js

diff --git a/app/login/controllers/login-controller.js b/app/login/controllers/login-controller.js
index 7867a0c..350429b 100644
--- a/app/login/controllers/login-controller.js
+++ b/app/login/controllers/login-controller.js
@@ -40,7 +40,9 @@
             if (status) {
               $scope.$emit('user-logged-in', {});
               var next = $location.search().next;
-              if (next === undefined || next == null) {
+              // don't allow forwarding to non-local urls
+              if (next === undefined || next == null ||
+                  next.indexOf('//') >= 0) {
                 $window.location.hash = '#/overview/server';
               } else {
                 $window.location.href = next;