Merge branch 'master' of github.com:chamilo/chamilo-lms

ywarnier · ywarnier · commit 0c1d829d7149 · 2025-11-30T02:08:25.000+01:00
diff --git a/assets/vue/components/Login.vue b/assets/vue/components/Login.vue
@@ -100,8 +100,12 @@ const isInIframe = window.self !== window.top
 if (isInIframe) {
   try {
     const parentUrl = window.top.location.href
-    window.top.location.href = "/login?redirect=" + encodeURIComponent(parentUrl)
+    const parent = new URL(parentUrl)
+    // Only keep path + query + hash so redirect stays internal
+    const redirectPath = parent.pathname + parent.search + parent.hash
+    window.top.location.href = "/login?redirect=" + encodeURIComponent(redirectPath)
   } catch (e) {
+    // Cross-origin or other error: just go to login without redirect
     window.top.location.href = "/login"
   }
 }
diff --git a/assets/vue/composables/auth/login.js b/assets/vue/composables/auth/login.js
@@ -52,13 +52,13 @@ function normalizeRedirectUrl(rawRedirect) {
   try {
     const currentOrigin = window.location.origin
 
-    // root-relative path ("/resources/pages/edit?id=...")
+    // Root-relative path ("/resources/pages/edit?id=...")
     if (rawRedirect.startsWith("/")) {
       const url = new URL(rawRedirect, currentOrigin)
       return url.pathname + url.search + url.hash
     }
 
-    // absolute URL - validate protocol first
+    // Absolute URL - validate protocol first
     if (!isValidHttpUrl(rawRedirect)) {
       return null
     }
@@ -102,10 +102,11 @@ export function useLogin() {
         totp,
       }
 
-      // Add returnUrl if exists in query param
-      const returnUrl = route.query.redirect?.toString() || null
-      if (returnUrl) {
-        payload.returnUrl = returnUrl
+      // Add returnUrl if exists in query param, but sanitize it first
+      const rawReturnUrl = route.query.redirect?.toString() || null
+      const safeReturnUrl = rawReturnUrl ? normalizeRedirectUrl(rawReturnUrl) : null
+      if (safeReturnUrl) {
+        payload.returnUrl = safeReturnUrl
       }
 
       const responseData =
@@ -122,7 +123,8 @@ export function useLogin() {
       // If backend forces password rotation, still apply locale before redirect
       if (responseData.rotate_password && responseData.redirect) {
         applyUserLocale(responseData)
-        window.location.href = responseData.redirect
+        const safeRedirect = normalizeRedirectUrl(responseData.redirect.toString())
+        window.location.href = safeRedirect || "/"
         return { success: true, rotate: true }
       }
 
@@ -135,8 +137,10 @@ export function useLogin() {
       // Terms and conditions redirect (apply locale before navigating)
       if (responseData.load_terms && responseData.redirect) {
         applyUserLocale(responseData)
-        window.location.href = responseData.redirect
-        return { success: true, redirect: responseData.redirect }
+        const safeRedirect = normalizeRedirectUrl(responseData.redirect.toString())
+        const target = safeRedirect || "/"
+        window.location.href = target
+        return { success: true, redirect: target }
       }
 
       // External redirect param (apply locale before navigating)
@@ -147,7 +151,6 @@ export function useLogin() {
         const safeRedirect = normalizeRedirectUrl(rawRedirect)
 
         if (safeRedirect) {
-          // Keep query params (e.g. "?id=/api/pages/6") intact on same origin
           // Full reload here is intentional so the full app shell is rebuilt.
           window.location.href = safeRedirect
           return { success: true }
@@ -157,7 +160,8 @@ export function useLogin() {
       // Fallback backend redirect (apply locale before navigating)
       if (responseData.redirect) {
         applyUserLocale(responseData)
-        window.location.href = responseData.redirect
+        const safeRedirect = normalizeRedirectUrl(responseData.redirect.toString())
+        window.location.href = safeRedirect || "/"
         return { success: true }
       }
 
diff --git a/src/CoreBundle/EventListener/ExceptionListener.php b/src/CoreBundle/EventListener/ExceptionListener.php
@@ -52,9 +52,15 @@ public function __invoke(ExceptionEvent $event): void
         ) {
             // If no token (not logged in), redirect to login with "redirect" back param
             if (null === $this->tokenStorage->getToken()) {
+                // Use only a relative path (path + query) for the redirect parameter
+                $redirectPath = $request->getRequestUri();
+                if (!\is_string($redirectPath) || '' === $redirectPath) {
+                    $redirectPath = '/';
+                }
+
                 $loginUrl = $this->router->generate(
                     'login',
-                    ['redirect' => $request->getSchemeAndHttpHost().$request->getRequestUri()],
+                    ['redirect' => $redirectPath],
                     UrlGeneratorInterface::ABSOLUTE_URL
                 );
                 $event->setResponse(new RedirectResponse($loginUrl));

Original file line number	Diff line number	Diff line change
`@@ -100,8 +100,12 @@ const isInIframe = window.self !== window.top`
`100`	`100`	`if (isInIframe) {`
`101`	`101`	`try {`
`102`	`102`	`const parentUrl = window.top.location.href`
`103`		`- window.top.location.href = "/login?redirect=" + encodeURIComponent(parentUrl)`
	`103`	`+ const parent = new URL(parentUrl)`
	`104`	`+ // Only keep path + query + hash so redirect stays internal`
	`105`	`+ const redirectPath = parent.pathname + parent.search + parent.hash`
	`106`	`+ window.top.location.href = "/login?redirect=" + encodeURIComponent(redirectPath)`
`104`	`107`	`} catch (e) {`
	`108`	`+ // Cross-origin or other error: just go to login without redirect`
`105`	`109`	`window.top.location.href = "/login"`
`106`	`110`	`}`
`107`	`111`	`}`