From ec7fb82a94729cd541761509985fb9ffc03b9faa Mon Sep 17 00:00:00 2001
From: Johannes Meyer <johannes.meyer@icinga.com>
Date: Thu, 1 Dec 2022 14:07:29 +0100
Subject: [PATCH] login: Don't redirect to external resources

fixes #4945
---
 .../controllers/AuthenticationController.php        | 13 ++++++++++++-
 application/forms/Authentication/LoginForm.php      | 10 +++++++++-
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/application/controllers/AuthenticationController.php b/application/controllers/AuthenticationController.php
index 352bf6c95d..4254433129 100644
--- a/application/controllers/AuthenticationController.php
+++ b/application/controllers/AuthenticationController.php
@@ -68,7 +68,18 @@ public function loginAction()
             // Call provided AuthenticationHook(s) when login action is called
             // but icinga web user is already authenticated
             AuthenticationHook::triggerLogin($this->Auth()->getUser());
-            $this->redirectNow($this->params->get('redirect', $form->getRedirectUrl()));
+
+            $redirect = $this->params->get('redirect');
+            if ($redirect) {
+                $redirectUrl = Url::fromPath($redirect, [], $this->getRequest());
+                if ($redirectUrl->isExternal()) {
+                    $this->httpBadRequest('nope');
+                }
+            } else {
+                $redirectUrl = $form->getRedirectUrl();
+            }
+
+            $this->redirectNow($redirectUrl);
         }
         if (! $requiresSetup) {
             $cookies = new CookieHelper($this->getRequest());
diff --git a/application/forms/Authentication/LoginForm.php b/application/forms/Authentication/LoginForm.php
index 8a71ecf554..87b32ab3c6 100644
--- a/application/forms/Authentication/LoginForm.php
+++ b/application/forms/Authentication/LoginForm.php
@@ -10,6 +10,7 @@
 use Icinga\Authentication\Auth;
 use Icinga\Authentication\User\ExternalBackend;
 use Icinga\Common\Database;
+use Icinga\Exception\Http\HttpBadRequestException;
 use Icinga\User;
 use Icinga\Web\Form;
 use Icinga\Web\RememberMe;
@@ -119,10 +120,17 @@ public function getRedirectUrl()
         if ($this->created) {
             $redirect = $this->getElement('redirect')->getValue();
         }
+
         if (empty($redirect) || strpos($redirect, 'authentication/logout') !== false) {
             $redirect = static::REDIRECT_URL;
         }
-        return Url::fromPath($redirect);
+
+        $redirectUrl = Url::fromPath($redirect);
+        if ($redirectUrl->isExternal()) {
+            throw new HttpBadRequestException('nope');
+        }
+
+        return $redirectUrl;
     }
 
     /**