diff --git a/config/config.example.yml b/config/config.example.yml index f49c5211..52491545 100644 --- a/config/config.example.yml +++ b/config/config.example.yml @@ -541,3 +541,6 @@ log: #allowed_service_ips: # - 127.0.0.1 # - 192.168.0.0/24 + +allowed_service_hosts: + - http://localhost diff --git a/lib/casserver/cas.rb b/lib/casserver/cas.rb index d652d217..7c49a3e2 100644 --- a/lib/casserver/cas.rb +++ b/lib/casserver/cas.rb @@ -316,8 +316,12 @@ def clean_service_url(dirty_service) $LOG.debug("Cleaned dirty service URL #{dirty_service.inspect} to #{clean_service.inspect}") if dirty_service != clean_service - - return clean_service + allowed_hosts = settings.config[:allowed_service_hosts] rescue [] + if allowed_hosts.include? clean_service + return clean_service + else + return '/' + end end module_function :clean_service_url diff --git a/spec/casserver_spec.rb b/spec/casserver_spec.rb index b49c1a03..b4d9e8d9 100644 --- a/spec/casserver_spec.rb +++ b/spec/casserver_spec.rb @@ -92,8 +92,17 @@ #page.should have_xpath("") end - end # describe '/login' + it "does not redirect to not allowed service" do + visit "/login?service="+CGI.escape("http://badguy.com") + + fill_in 'username', :with => VALID_USERNAME + fill_in 'password', :with => VALID_PASSWORD + click_button 'login-submit' + page.current_url.should_not =~ /^#{Regexp.escape("http://badguy.com")}\/?\?ticket=ST\-[1-9rA-Z]+/ + end + + end # describe '/login' describe '/logout' do describe 'user logged in' do diff --git a/spec/config/default_config.yml b/spec/config/default_config.yml index 90a83914..9ebe4794 100644 --- a/spec/config/default_config.yml +++ b/spec/config/default_config.yml @@ -50,4 +50,7 @@ enable_single_sign_out: true #downcase_username: true allowed_service_ips: - - 127.0.0.0/24 \ No newline at end of file + - 127.0.0.0/24 +allowed_service_hosts: + - http://localhost + - http://my.app.test