fix: check jump_to_url

3 years ago · 9ec106872b
2 changed files with 16 additions and 1 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -7,6 +7,7 @@ license = "WTFPL-2.0"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

 [features]
+default = ["mastlogin"]
 mastlogin = ["url", "reqwest"]

 [dependencies]
--- a/src/login.rs
+++ b/src/login.rs
@ -119,5 +119,19 @@ pub async fn cs_auth(code: String, redirect_url: String, jump_to_url: String, db
        .await
        .unwrap();

-    Redirect::to(format!("{}?token={}", &jump_to_url, &tk))
+    Redirect::to(format!(
+        "{}?token={}",
+        {
+            if env::var("FRONTEND_WHITELIST")
+                .unwrap_or_default()
+                .split(',')
+                .any(|url| jump_to_url.starts_with(url))
+            {
+                &jump_to_url
+            } else {
+                "/"
+            }
+        },
+        &tk
+    ))
 }