From 9911b5c7dd2b8a8962a61e2cf9e98fa8fb1725c9 Mon Sep 17 00:00:00 2001
From: Eric Callahan <arksine.code@gmail.com>
Date: Fri, 28 Jan 2022 14:05:48 -0500
Subject: [PATCH] app: don't allow open redirects in '/server/redirect'

Validate that the URL argument against the `cors_domains` option.

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
---
 moonraker/app.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/moonraker/app.py b/moonraker/app.py
index a58fa06..eb1819a 100644
--- a/moonraker/app.py
+++ b/moonraker/app.py
@@ -919,4 +919,9 @@ class RedirectHandler(AuthorizedRequestHandler):
                     400, "No url argument provided")
             url = body_args['url']
             assert url is not None
+        # validate the url origin
+        auth: AuthComp = self.server.lookup_component('authorization', None)
+        if auth is None or not auth.check_cors(url.rstrip("/")):
+            raise tornado.web.HTTPError(
+                400, f"Unauthorized URL redirect: {url}")
         self.redirect(url)