From 9ec106872b1dc5ffcf7a51340e10c80f2c01551e Mon Sep 17 00:00:00 2001
From: hole-thu <hole_thu@riseup.net>
Date: Tue, 3 May 2022 01:46:17 +0800
Subject: [PATCH] fix: check jump_to_url

---
 Cargo.toml   |  1 +
 src/login.rs | 16 +++++++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/Cargo.toml b/Cargo.toml
index 04c8068..7efb770 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -7,6 +7,7 @@ license = "WTFPL-2.0"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [features]
+default = ["mastlogin"]
 mastlogin = ["url", "reqwest"]
 
 [dependencies]
diff --git a/src/login.rs b/src/login.rs
index 204024d..b0bdd10 100644
--- a/src/login.rs
+++ b/src/login.rs
@@ -119,5 +119,19 @@ pub async fn cs_auth(code: String, redirect_url: String, jump_to_url: String, db
         .await
         .unwrap();
 
-    Redirect::to(format!("{}?token={}", &jump_to_url, &tk))
+    Redirect::to(format!(
+        "{}?token={}",
+        {
+            if env::var("FRONTEND_WHITELIST")
+                .unwrap_or_default()
+                .split(',')
+                .any(|url| jump_to_url.starts_with(url))
+            {
+                &jump_to_url
+            } else {
+                "/"
+            }
+        },
+        &tk
+    ))
 }