fix: check jump_to_url

2022-05-03 01:46:17 +08:00
parent 462071da54
commit 9ec106872b
2 changed files with 16 additions and 1 deletions
--- a/src/login.rs
+++ b/src/login.rs
@@ -119,5 +119,19 @@ pub async fn cs_auth(code: String, redirect_url: String, jump_to_url: String, db
        .await
        .unwrap();

-    Redirect::to(format!("{}?token={}", &jump_to_url, &tk))
+    Redirect::to(format!(
+        "{}?token={}",
+        {
+            if env::var("FRONTEND_WHITELIST")
+                .unwrap_or_default()
+                .split(',')
+                .any(|url| jump_to_url.starts_with(url))
+            {
+                &jump_to_url
+            } else {
+                "/"
+            }
+        },
+        &tk
+    ))
 }