From bd754c444525242c439e05aedcab1a292d132595 Mon Sep 17 00:00:00 2001
From: Risto Lahtela <24460436+Rsl1122@users.noreply.github.com>
Date: Sun, 24 Jan 2021 12:21:02 +0200
Subject: [PATCH] Prevent redirection to another website on login

Affects issues:
- Fixed #1717
---
 .../webserver/resolver/auth/LoginPageResolver.java         | 7 ++++---
 Plan/common/src/main/resources/assets/plan/web/login.html  | 2 +-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/LoginPageResolver.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/LoginPageResolver.java
index 28d7647ac..a3b40a171 100644
--- a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/LoginPageResolver.java
+++ b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/LoginPageResolver.java
@@ -31,8 +31,8 @@ import java.util.Optional;
 @Singleton
 public class LoginPageResolver implements NoAuthResolver {
 
-    private ResponseFactory responseFactory;
-    private Lazy<WebServer> webServer;
+    private final ResponseFactory responseFactory;
+    private final Lazy<WebServer> webServer;
 
     @Inject
     public LoginPageResolver(
@@ -47,7 +47,8 @@ public class LoginPageResolver implements NoAuthResolver {
     public Optional<Response> resolve(Request request) {
         Optional<WebUser> user = request.getUser();
         if (user.isPresent() || !webServer.get().isAuthRequired()) {
-            Optional<String> from = request.getQuery().get("from");
+            Optional<String> from = request.getQuery().get("from")
+                    .filter(redirectBackTo -> !redirectBackTo.startsWith("http"));
             return Optional.of(responseFactory.redirectResponse(from.orElse("/")));
         }
         return Optional.of(responseFactory.loginPageResponse());
diff --git a/Plan/common/src/main/resources/assets/plan/web/login.html b/Plan/common/src/main/resources/assets/plan/web/login.html
index f64f6ec25..722da8e9f 100644
--- a/Plan/common/src/main/resources/assets/plan/web/login.html
+++ b/Plan/common/src/main/resources/assets/plan/web/login.html
@@ -50,7 +50,7 @@
             if (json && json.success) {
                 const urlParams = new URLSearchParams(window.location.search);
                 const cameFrom = urlParams.get('from');
-                window.location.href = cameFrom ? cameFrom : './';
+                window.location.href = cameFrom && !cameFrom.startsWith("http") ? cameFrom : './';
             } else {
                 return displayError('Login failed: ' + json.error);
             }