rubycas · gregmolnar · Aug 20, 2014
diff --git a/config/config.example.yml b/config/config.example.yml
@@ -541,3 +541,6 @@ log:
 #allowed_service_ips:
 #  - 127.0.0.1
 #  - 192.168.0.0/24
+
+allowed_service_hosts:
+  - http://localhost
diff --git a/lib/casserver/cas.rb b/lib/casserver/cas.rb
@@ -316,8 +316,12 @@ def clean_service_url(dirty_service)
 
     $LOG.debug("Cleaned dirty service URL #{dirty_service.inspect} to #{clean_service.inspect}") if
       dirty_service != clean_service
-
-    return clean_service
+    allowed_hosts = settings.config[:allowed_service_hosts] rescue []
+    if allowed_hosts.include? clean_service
+      return clean_service
+    else
+      return '/'
+    end
   end
   module_function :clean_service_url
 

diff --git a/spec/casserver_spec.rb b/spec/casserver_spec.rb
@@ -92,8 +92,17 @@
       #page.should have_xpath("<script>alert(32)</script>")
     end
 
-  end # describe '/login'
+    it "does not redirect to not allowed service" do
+      visit "/login?service="+CGI.escape("http://badguy.com")
+
+      fill_in 'username', :with => VALID_USERNAME
+      fill_in 'password', :with => VALID_PASSWORD
 
+      click_button 'login-submit'
+      page.current_url.should_not =~ /^#{Regexp.escape("http://badguy.com")}\/?\?ticket=ST\-[1-9rA-Z]+/
+    end
+
+  end # describe '/login'
 
   describe '/logout' do
     describe 'user logged in' do

diff --git a/spec/config/default_config.yml b/spec/config/default_config.yml
@@ -50,4 +50,7 @@ enable_single_sign_out: true
 #downcase_username: true
 
 allowed_service_ips:
-  - 127.0.0.0/24
+  - 127.0.0.0/24
+allowed_service_hosts:
+  - http://localhost
+  - http://my.app.test