fix http://redmine.yoho.cn/issues/14282

陈轩
Commit 8b67ccf240d2ccd38ab4701e4e24754746328278 1 parent 2735742e
Showing 2 changed files with 16 additions and 2 deletions
apps/passport/controllers/login.js
apps/passport/controllers/reg.js
--- a/apps/passport/controllers/login.js
View file @8b67ccf
+++ b/apps/passport/controllers/login.js
View file @8b67ccf
@@ -69,8 +69,8 @@ const common = {
         let urlObj = url.parse(refer, false, true);
-        if (urlObj.hostname && !/yohobuy\.com$/.test(urlObj.hostname)) {
-            refer = '/';
+        if (urlObj.hostname && !/(?:yohobuy\.com$)|(?:yoho\.cn$)/.test(urlObj.hostname)) {
+            refer = '/home';
         }
--- a/apps/passport/controllers/reg.js
View file @8b67ccf
+++ b/apps/passport/controllers/reg.js
View file @8b67ccf
@@ -8,6 +8,7 @@
 'use strict';
 const _ = require('lodash');
+const url = require('url');
 const helpers = global.yoho.helpers;
 const sign = global.yoho.sign;
 const cookie = global.yoho.cookie;
@@ -61,6 +62,12 @@ let index = (req, res) => {
     // req.session.REG_EXPIRE = Date.now() + 1800000;
     let refer = req.query.refer;
+    let urlObj = url.parse(refer, false, true);
+
+    if (urlObj.hostname && !/(?:yohobuy\.com$)|(?:yoho\.cn$)/.test(urlObj.hostname)) {
+        refer = '/home';
+    }
+
     refer && res.cookie('refer', encodeURI(refer), {
         domain: 'yohobuy.com'
     });
@@ -402,6 +409,13 @@ let setPassword = (req, res, next) => {
             refer = '/home';
         }
+        // fix: http://redmine.yoho.cn/issues/14282 跳转安全
+        let urlObj = url.parse(refer, false, true);
+
+        if (urlObj.hostname && !/(?:yohobuy\.com$)|(?:yoho\.cn$)/.test(urlObj.hostname)) {
+            refer = '/home';
+        }
+
         delete req.session.phoneNum;
         return res.json({