From 8c0a62284d05d19da7a32c38fd491113e4510aa9 Mon Sep 17 00:00:00 2001
From: Denis Arh <denis.arh@gmail.com>
Date: Tue, 1 Mar 2022 09:13:37 +0100
Subject: [PATCH] Add back-link sanitization on logout page

---
 auth/handlers/handle_logout.go      |  8 ++++----
 auth/handlers/handle_logout_test.go |  4 ++--
 auth/handlers/links.go              | 14 ++++++++++++--
 3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/auth/handlers/handle_logout.go b/auth/handlers/handle_logout.go
index 0a062bf2ed..b6b887d7bc 100644
--- a/auth/handlers/handle_logout.go
+++ b/auth/handlers/handle_logout.go
@@ -22,10 +22,10 @@ func (h *AuthHandlers) logoutProc(req *request.AuthReq) (err error) {
 
 	req.Template = TmplLogout
 
-	if req.Request.FormValue("back") != "" {
-		req.Data["link"] = req.Request.FormValue("back")
-	} else {
-		req.Data["link"] = GetLinks().Login
+	req.Data["link"] = GetLinks().Login
+
+	if bl := req.Request.FormValue("back"); bl != "" {
+		req.Data["link"] = sanitizeLink(bl)
 	}
 
 	return
diff --git a/auth/handlers/handle_logout_test.go b/auth/handlers/handle_logout_test.go
index c94b0e6197..555ffafa65 100644
--- a/auth/handlers/handle_logout_test.go
+++ b/auth/handlers/handle_logout_test.go
@@ -35,7 +35,7 @@ func Test_logoutProc(t *testing.T) {
 	authReq = prepareClientAuthReq(authHandlers, req, user)
 
 	req.PostForm = url.Values{}
-	req.PostForm.Add("back", "/back")
+	req.PostForm.Add("back", "\"><script>alert(origin)</script><\"")
 	authReq.Session.Values = map[interface{}]interface{}{"key": url.Values{"key": []string{"value"}}}
 
 	err := authHandlers.logoutProc(authReq)
@@ -43,6 +43,6 @@ func Test_logoutProc(t *testing.T) {
 	rq.Empty(authReq.Session.Values)
 	rq.Empty(authReq.AuthUser)
 	rq.Empty(authReq.Client)
-	rq.Equal("/back", authReq.Data["link"])
+	rq.Equal("scriptalert(origin)/script", authReq.Data["link"])
 	rq.Equal(TmplLogout, authReq.Template)
 }
diff --git a/auth/handlers/links.go b/auth/handlers/links.go
index 5e05e4417b..5b2c3adaa5 100644
--- a/auth/handlers/links.go
+++ b/auth/handlers/links.go
@@ -1,6 +1,9 @@
 package handlers
 
-import "strings"
+import (
+	"regexp"
+	"strings"
+)
 
 type (
 	Links struct {
@@ -47,7 +50,10 @@ type (
 	}
 )
 
-var BasePath string = "/"
+var (
+	invalidLinkChars        = regexp.MustCompile(`[^-A-Za-z0-9+&@#/%?=~_|!:,.;\\(\\)]`)
+	BasePath         string = "/"
+)
 
 func GetLinks() Links {
 	var b = strings.TrimSuffix(BasePath, "/") + "/"
@@ -101,3 +107,7 @@ func tbp(s string) string {
 
 	return s
 }
+
+func sanitizeLink(l string) string {
+	return invalidLinkChars.ReplaceAllString(l, "")
+}