From 4038f1274407586802a3fdb5d1373b8d5598ae5e Mon Sep 17 00:00:00 2001
From: Julien Veyssier <julien-nc@posteo.net>
Date: Mon, 23 Sep 2024 15:13:23 +0200
Subject: [PATCH 1/2] fix: prevent redirecting to an absolute URL after login

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
---
 lib/Controller/LoginController.php | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
index 75ffbc3b..2739c497 100644
--- a/lib/Controller/LoginController.php
+++ b/lib/Controller/LoginController.php
@@ -198,6 +198,18 @@ private function buildProtocolErrorResponse(?bool $throttle = null): TemplateRes
 		return $this->buildFailureTemplateResponse('', 'error', $params, Http::STATUS_NOT_FOUND, $throttleMetadata, $throttle);
 	}
 
+	/**
+	 * @param string|null $redirectUrl
+	 * @return RedirectResponse
+	 */
+	private function getRedirectResponse(?string $redirectUrl = null): RedirectResponse {
+		return new RedirectResponse(
+			$redirectUrl === null
+				? null
+				: preg_replace('/^https?:\/\//', '', $redirectUrl)
+		);
+	}
+
 	/**
 	 * @PublicPage
 	 * @NoCSRFRequired
@@ -210,7 +222,7 @@ private function buildProtocolErrorResponse(?bool $throttle = null): TemplateRes
 	 */
 	public function login(int $providerId, ?string $redirectUrl = null) {
 		if ($this->userSession->isLoggedIn()) {
-			return new RedirectResponse($redirectUrl);
+			return $this->getRedirectResponse($redirectUrl);
 		}
 		if (!$this->isSecure()) {
 			return $this->buildProtocolErrorResponse();
@@ -602,7 +614,7 @@ public function code(string $state = '', string $code = '', string $scope = '',
 
 		$redirectUrl = $this->session->get(self::REDIRECT_AFTER_LOGIN);
 		if ($redirectUrl) {
-			return new RedirectResponse($redirectUrl);
+			return $this->getRedirectResponse($redirectUrl);
 		}
 
 		return new RedirectResponse(\OC_Util::getDefaultPageUrl());

From 99f7b730e7911459de22898e431cfcf525f0393a Mon Sep 17 00:00:00 2001
From: Julien Veyssier <julien-nc@posteo.net>
Date: Thu, 10 Oct 2024 11:22:53 +0200
Subject: [PATCH 2/2] use parse_url to get rid of the protocol+domain in the
 login redirect URL

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
---
 lib/Controller/LoginController.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/Controller/LoginController.php b/lib/Controller/LoginController.php
index 2739c497..8ee5fa2a 100644
--- a/lib/Controller/LoginController.php
+++ b/lib/Controller/LoginController.php
@@ -203,10 +203,13 @@ private function buildProtocolErrorResponse(?bool $throttle = null): TemplateRes
 	 * @return RedirectResponse
 	 */
 	private function getRedirectResponse(?string $redirectUrl = null): RedirectResponse {
+		// this could also be done with
+		// preg_replace('/^https?:\/\//', '', $redirectUrl)
+		// or even: if (preg_match('/https?:\/\//', $redirectUrl) === 1) return new RedirectResponse('/');
 		return new RedirectResponse(
 			$redirectUrl === null
 				? null
-				: preg_replace('/^https?:\/\//', '', $redirectUrl)
+				: parse_url($redirectUrl, PHP_URL_PATH)
 		);
 	}