fix http://redmine.yoho.cn/issues/14282

陈轩
Commit 8b67ccf240d2ccd38ab4701e4e24754746328278 1 parent 2735742e
Showing 2 changed files with 16 additions and 2 deletions
apps/passport/controllers/login.js
apps/passport/controllers/reg.js
--- a/apps/passport/controllers/login.js
View file @8b67ccf
+++ b/apps/passport/controllers/login.js
View file @8b67ccf
@@ -69,8 +69,8 @@ const common = {
 
         let urlObj = url.parse(refer, false, true);
 
-         if (urlObj.hostname && !/yohobuy\.com$/.test(urlObj.hostname)) {
-             refer = '/';
+         if (urlObj.hostname && !/(?:yohobuy\.com$)|(?:yoho\.cn$)/.test(urlObj.hostname)) {
+             refer = '/home';
         }
 
 
--- a/apps/passport/controllers/reg.js
View file @8b67ccf
+++ b/apps/passport/controllers/reg.js
View file @8b67ccf
@@ -8,6 +8,7 @@
 'use strict';
 
 const _ = require('lodash');
+ const url = require('url');
 const helpers = global.yoho.helpers;
 const sign = global.yoho.sign;
 const cookie = global.yoho.cookie;
@@ -61,6 +62,12 @@ let index = (req, res) => {
     // req.session.REG_EXPIRE = Date.now() + 1800000;
     let refer = req.query.refer;
 
+     let urlObj = url.parse(refer, false, true);
+ 
+     if (urlObj.hostname && !/(?:yohobuy\.com$)|(?:yoho\.cn$)/.test(urlObj.hostname)) {
+         refer = '/home';
+     }
+ 
     refer && res.cookie('refer', encodeURI(refer), {
         domain: 'yohobuy.com'
     });
@@ -402,6 +409,13 @@ let setPassword = (req, res, next) => {
             refer = '/home';
         }
 
+         // fix: http://redmine.yoho.cn/issues/14282 跳转安全
+         let urlObj = url.parse(refer, false, true);
+ 
+         if (urlObj.hostname && !/(?:yohobuy\.com$)|(?:yoho\.cn$)/.test(urlObj.hostname)) {
+             refer = '/home';
+         }
+ 
         delete req.session.phoneNum;
 
         return res.json({