app: don't allow open redirects in '/server/redirect'

Validate that the URL argument against the `cors_domains` option. Signed-off-by: Eric Callahan <arksine.code@gmail.com>
2022-01-28 14:05:48 -05:00 · 2022-01-28 14:05:48 -05:00 · 9911b5c7dd
parent 41c19e4b9a
commit 9911b5c7dd
1 changed files with 5 additions and 0 deletions
--- a/moonraker/app.py
+++ b/moonraker/app.py
@ -919,4 +919,9 @@ class RedirectHandler(AuthorizedRequestHandler):
                    400, "No url argument provided")
            url = body_args['url']
            assert url is not None
+        # validate the url origin
+        auth: AuthComp = self.server.lookup_component('authorization', None)
+        if auth is None or not auth.check_cors(url.rstrip("/")):
+            raise tornado.web.HTTPError(
+                400, f"Unauthorized URL redirect: {url}")
        self.redirect(url)