kenmirrors/firefly-iii
1
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-10-12 15:35:15 +00:00
Code Issues Projects Releases Wiki Activity

Fix previous url, also in Safari

Browse Source
This commit is contained in:
James Cole
2021-10-03 06:06:49 +02:00
parent 4e7a27dd65
commit ab6707b9d9
2 changed files with 61 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
app/Http/Middleware/StartFireflySession.php
View File

@@ -42,16 +42,20 @@ class StartFireflySession extends StartSession
*/ */
protected function storeCurrentUrl(Request $request, $session): void protected function storeCurrentUrl(Request $request, $session): void
{ {
$url = $request->fullUrl(); $url = $request->fullUrl();
$forbiddenWords = strpos($url, 'offline') || strpos($url, 'jscript') || strpos($url, 'delete') || strpos($url, '/login') || strpos($url, '/json') || strpos($url, 'serviceworker') || strpos($url, '/attachments/view'); $safeUrl = app('steam')->getSafeUrl($url, route('index'));
if (false === $forbiddenWords if ($url !== $safeUrl) {
&& 'GET' === $request->method() //Log::debug(sprintf('storeCurrentUrl: converted "%s" to "%s", so will not use it.', $url, $safeUrl));
&& !$request->ajax()) {
//Log::debug(sprintf('Redirect is now "%s".', $url));
$session->setPreviousUrl($url);
return; return;
} }
//Log::debug(sprintf('Refuse to set "%s" as current URL.', $url));
if ('GET' === $request->method() && !$request->ajax()) {
//Log::debug(sprintf('storeCurrentUrl: Redirect is now "%s".', $safeUrl));
$session->setPreviousUrl($safeUrl);
return;
}
//Log::debug(sprintf('storeCurrentUrl: Refuse to set "%s" as current URL.', $safeUrl));
} }
} }

49
app/Support/Steam.php
View File

@@ -31,7 +31,9 @@ use FireflyIII\Models\TransactionCurrency;
use FireflyIII\Repositories\Account\AccountRepositoryInterface; use FireflyIII\Repositories\Account\AccountRepositoryInterface;
use Illuminate\Support\Collection; use Illuminate\Support\Collection;
use JsonException; use JsonException;
use Log;
use stdClass; use stdClass;
use Str;
/** /**
* Class Steam. * Class Steam.
@@ -41,6 +43,53 @@ use stdClass;
class Steam class Steam
{ {
/**
* Returns the previous URL but refuses to send you to specific URLs.
*
* - outside domain
* - to JS files, API or JSON routes
*
* Uses the session's previousUrl() function as inspired by GitHub user @z1r0-
*
* session()->previousUrl() uses getSafeUrl() so we can safely return it:
*
* @return string
*/
public function getSafePreviousUrl(): string
{
//Log::debug(sprintf('getSafePreviousUrl: "%s"', session()->previousUrl()));
return session()->previousUrl() ?? route('index');
}
/**
* Make sure URL is safe.
*
* @param string $unknownUrl
* @param string $safeUrl
*
* @return string
*/
public function getSafeUrl(string $unknownUrl, string $safeUrl): string
{
//Log::debug(sprintf('getSafeUrl(%s, %s)', $unknownUrl, $safeUrl));
$returnUrl = $safeUrl;
$unknownHost = parse_url($unknownUrl, PHP_URL_HOST);
$safeHost = parse_url($safeUrl, PHP_URL_HOST);
if (null !== $unknownHost && $unknownHost === $safeHost) {
$returnUrl = $unknownUrl;
}
// URL must not lead to weird pages
$forbiddenWords = ['jscript', 'json', 'debug', 'serviceworker', 'offline', 'delete', '/login', '/attachments/view'];
if (Str::contains($returnUrl, $forbiddenWords)) {
$returnUrl = $safeUrl;
}
return $returnUrl;
}
/** /**
* @param Account $account * @param Account $account
* @param Carbon $date * @param Carbon $date