From 330b0e15ddf3353ca472e29ad34e3e051e3c23a5 Mon Sep 17 00:00:00 2001
From: Boris Polonsky <BorisPolonsky@users.noreply.github.com>
Date: Mon, 8 Sep 2025 19:37:05 +0800
Subject: [PATCH 1/2] Fix open redirect vulnerability during login: `login_url`
 should match current domain to take effect

---
 install/docker/project.py                          | 6 +++++-
 install/kubernetes/cube/overlays/config/project.py | 6 +++++-
 myapp/project.py                                   | 6 +++++-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/install/docker/project.py b/install/docker/project.py
index ea9b1079..20805b8b 100644
--- a/install/docker/project.py
+++ b/install/docker/project.py
@@ -160,7 +160,11 @@ def login(self):
                 if user:
                     login_user(user, remember=True)
                     if comed_url:
-                        return redirect(comed_url)
+                        # 仅开放同域名跳转，避免开放式URL重定向漏洞
+                        from werkzeug.urls import url_parse
+                        parsed_url = url_parse(comed_url)
+                        if not parsed_url.netloc or parsed_url.netloc == request.host:
+                            return redirect(comed_url)
                     return redirect(self.appbuilder.get_url_for_index)
         # 如果已经登录了，那么直接进去首页
         if g.user is not None and g.user.is_authenticated:
diff --git a/install/kubernetes/cube/overlays/config/project.py b/install/kubernetes/cube/overlays/config/project.py
index 3bc4c3c9..4c1f9d69 100644
--- a/install/kubernetes/cube/overlays/config/project.py
+++ b/install/kubernetes/cube/overlays/config/project.py
@@ -160,7 +160,11 @@ def login(self):
                 if user:
                     login_user(user, remember=True)
                     if comed_url:
-                        return redirect(comed_url)
+                        # 仅开放同域名跳转，避免开放式URL重定向漏洞
+                        from werkzeug.urls import url_parse
+                        parsed_url = url_parse(comed_url)
+                        if not parsed_url.netloc or parsed_url.netloc == request.host:
+                            return redirect(comed_url)
                     return redirect(self.appbuilder.get_url_for_index)
         # 如果已经登录了，那么直接进去首页
         if g.user is not None and g.user.is_authenticated:
diff --git a/myapp/project.py b/myapp/project.py
index 57198676..52236eac 100644
--- a/myapp/project.py
+++ b/myapp/project.py
@@ -160,7 +160,11 @@ def login(self):
                 if user:
                     login_user(user, remember=True)
                     if comed_url:
-                        return redirect(comed_url)
+                        # 仅开放同域名跳转，避免开放式URL重定向漏洞
+                        from werkzeug.urls import url_parse
+                        parsed_url = url_parse(comed_url)
+                        if not parsed_url.netloc or parsed_url.netloc == request.host:
+                            return redirect(comed_url)
                     return redirect(self.appbuilder.get_url_for_index)
 
         if g.user is not None and g.user.is_authenticated:

From 343d86364947ae6a0a2c4b40496295091fb912eb Mon Sep 17 00:00:00 2001
From: Boris Polonsky <BorisPolonsky@users.noreply.github.com>
Date: Tue, 9 Sep 2025 16:22:13 +0800
Subject: [PATCH 2/2] Patch the redirection when login_url wasn't specified

---
 install/docker/project.py                          | 2 +-
 install/kubernetes/cube/overlays/config/project.py | 2 +-
 myapp/project.py                                   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/install/docker/project.py b/install/docker/project.py
index 20805b8b..32644a1e 100644
--- a/install/docker/project.py
+++ b/install/docker/project.py
@@ -163,7 +163,7 @@ def login(self):
                         # 仅开放同域名跳转，避免开放式URL重定向漏洞
                         from werkzeug.urls import url_parse
                         parsed_url = url_parse(comed_url)
-                        if not parsed_url.netloc or parsed_url.netloc == request.host:
+                        if (not parsed_url.netloc and parsed_url.path) or parsed_url.netloc == request.host:
                             return redirect(comed_url)
                     return redirect(self.appbuilder.get_url_for_index)
         # 如果已经登录了，那么直接进去首页
diff --git a/install/kubernetes/cube/overlays/config/project.py b/install/kubernetes/cube/overlays/config/project.py
index 4c1f9d69..d39c7580 100644
--- a/install/kubernetes/cube/overlays/config/project.py
+++ b/install/kubernetes/cube/overlays/config/project.py
@@ -163,7 +163,7 @@ def login(self):
                         # 仅开放同域名跳转，避免开放式URL重定向漏洞
                         from werkzeug.urls import url_parse
                         parsed_url = url_parse(comed_url)
-                        if not parsed_url.netloc or parsed_url.netloc == request.host:
+                        if (not parsed_url.netloc and parsed_url.path) or parsed_url.netloc == request.host:
                             return redirect(comed_url)
                     return redirect(self.appbuilder.get_url_for_index)
         # 如果已经登录了，那么直接进去首页
diff --git a/myapp/project.py b/myapp/project.py
index 52236eac..212c3ce1 100644
--- a/myapp/project.py
+++ b/myapp/project.py
@@ -163,7 +163,7 @@ def login(self):
                         # 仅开放同域名跳转，避免开放式URL重定向漏洞
                         from werkzeug.urls import url_parse
                         parsed_url = url_parse(comed_url)
-                        if not parsed_url.netloc or parsed_url.netloc == request.host:
+                        if (not parsed_url.netloc and parsed_url.path) or parsed_url.netloc == request.host:
                             return redirect(comed_url)
                     return redirect(self.appbuilder.get_url_for_index)