LP#1908576: Restrict login redirection
authorMike Rylander <mrylander@gmail.com>
Thu, 1 Dec 2022 19:13:35 +0000 (14:13 -0500)
committerJason Boyer <JBoyer@equinoxOLI.org>
Wed, 17 May 2023 14:25:31 +0000 (10:25 -0400)
commit27c128984a6ffe528117dfabdf456f43d6c7e096
treefb29d9e1a0a9a6dae48ff35cda0c3985e2002881
parent3d3621cef02b046b6bb4d93b76c6fed1b59e2aec
LP#1908576: Restrict login redirection

This commit implements a new global flag: opac.login_redirect_domains
When this flag is enabled, redirection from login via redirect_to will
be restricted to local URLs.  For local URLs, they must either start
with a / (provide an absolute path) or the hostname in the URL must
match the current hostname and have a scheme of http, https, ftp, or
ftps.

The value for the global flag can be set to a list of comma-separated
domain names.  Redirection to these domains, and subdomains/hosts
thereof, will also be allowed.  For all non-local URLs allowed by the
global flag value, the scheme must be one of http, https, ftp, or ftps.

Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Jason Stephenson <jason@sigio.com>
Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org>
Open-ILS/src/perlmods/lib/OpenILS/WWW/EGCatLoader.pm
Open-ILS/src/sql/Pg/950.data.seed-values.sql
Open-ILS/src/sql/Pg/upgrade/XXXX.data.login_redirect_regexp.sql [new file with mode: 0644]