[fix]SSO注销接口，严格校验回跳地址，区分SSO模式和本地模式

NewLifeX · Nov 25, 2024 · c0827d3 · c0827d3
1 parent 87f4ed6
commit c0827d3
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 4 deletions.
diff --git a/NewLife.Cube/Controllers/SsoController.cs b/NewLife.Cube/Controllers/SsoController.cs
@@ -305,7 +305,8 @@ public virtual ActionResult Logout()
     {
         // 先读Session，待会会清空
         var prov = Provider;
-        var name = Session["Cube_Sso"] as String;
+        var name = GetRequest("name");
+        if (name.IsNullOrEmpty()) name = Session["Cube_Sso"] as String;
         var client = prov.GetClient(name);
         client.Init(GetUserAgent());
 
@@ -318,7 +319,8 @@ public virtual ActionResult Logout()
         var set = CubeSetting.Current;
         if (client != null && set.LogoutAll)
         {
-            if (client.LogoutUrl.IsNullOrEmpty() && name.EqualIgnoreCase("NewLife")) client.LogoutUrl = "logout?client_id={key}&redirect_uri={redirect}&state={state}";
+            if (client.LogoutUrl.IsNullOrEmpty() && name.EqualIgnoreCase("NewLife")) 
+                client.LogoutUrl = "logout?client_id={key}&redirect_uri={redirect}&state={state}";
             if (!client.LogoutUrl.IsNullOrEmpty())
             {
                 // 准备返回地址
@@ -340,6 +342,22 @@ public virtual ActionResult Logout()
         url = Provider?.GetReturnUrl(Request, false);
         if (url.IsNullOrEmpty()) url = "~/";
 
+        // 严格校验回跳地址，区分SSO模式和本地模式
+        if (url.StartsWithIgnoreCase("http://", "https://"))
+        {
+            var clientId = GetRequest("client_id");
+            if (!clientId.IsNullOrEmpty())
+            {
+                var app = OAuth.Auth(clientId, null, UserHost);
+                if (!app.ValidCallback(url)) throw new XException("回调地址不合法 {0}", url);
+            }
+            else
+            {
+                // 本地模式，只允许回到本站点
+                url = "~/";
+            }
+        }
+
         return Redirect(url);
     }
 

diff --git a/NewLife.CubeNC/Controllers/SsoController.cs b/NewLife.CubeNC/Controllers/SsoController.cs
@@ -301,7 +301,8 @@ public virtual ActionResult Logout()
     {
         // 先读Session，待会会清空
         var prov = Provider;
-        var name = Session["Cube_Sso"] as String;
+        var name = GetRequest("name");
+        if (name.IsNullOrEmpty()) name = Session["Cube_Sso"] as String;
         var client = prov.GetClient(name);
         client.Init(GetUserAgent());
 
@@ -314,7 +315,8 @@ public virtual ActionResult Logout()
         var set = CubeSetting.Current;
         if (client != null && set.LogoutAll)
         {
-            if (client.LogoutUrl.IsNullOrEmpty() && name.EqualIgnoreCase("NewLife")) client.LogoutUrl = "logout?client_id={key}&redirect_uri={redirect}&state={state}";
+            if (client.LogoutUrl.IsNullOrEmpty() && name.EqualIgnoreCase("NewLife"))
+                client.LogoutUrl = "logout?client_id={key}&redirect_uri={redirect}&state={state}";
             if (!client.LogoutUrl.IsNullOrEmpty())
             {
                 // 准备返回地址
@@ -336,6 +338,22 @@ public virtual ActionResult Logout()
         url = Provider?.GetReturnUrl(Request, false);
         if (url.IsNullOrEmpty()) url = "~/";
 
+        // 严格校验回跳地址，区分SSO模式和本地模式
+        if (url.StartsWithIgnoreCase("http://", "https://"))
+        {
+            var clientId = GetRequest("client_id");
+            if (!clientId.IsNullOrEmpty())
+            {
+                var app = OAuth.Auth(clientId, null, UserHost);
+                if (!app.ValidCallback(url)) throw new XException("回调地址不合法 {0}", url);
+            }
+            else
+            {
+                // 本地模式，只允许回到本站点
+                url = "~/";
+            }
+        }
+
         return Redirect(url);
     }