Rust fixes

2026-04-22 15:41:18 +08:00
parent 9ec5797919
commit 51d54b42ac
22 changed files with 1312 additions and 108 deletions
--- a/rust/myfsio-engine/crates/myfsio-server/src/handlers/ui.rs
+++ b/rust/myfsio-engine/crates/myfsio-server/src/handlers/ui.rs
@@ -66,7 +66,7 @@ pub async fn login_submit(
            let next = form
                .next
                .as_deref()
-                .filter(|n| n.starts_with("/ui/") || *n == "/ui")
+                .filter(|n| is_allowed_redirect(n, &state.config.allowed_redirect_hosts))
                .unwrap_or("/ui/buckets")
                .to_string();
            Redirect::to(&next).into_response()
@@ -80,6 +80,32 @@ pub async fn login_submit(
    }
 }

+fn is_allowed_redirect(target: &str, allowed_hosts: &[String]) -> bool {
+    if target == "/ui" || target.starts_with("/ui/") {
+        return true;
+    }
+    let Some(rest) = target
+        .strip_prefix("https://")
+        .or_else(|| target.strip_prefix("http://"))
+    else {
+        return false;
+    };
+    let host = rest
+        .split('/')
+        .next()
+        .unwrap_or_default()
+        .split('@')
+        .last()
+        .unwrap_or_default()
+        .split(':')
+        .next()
+        .unwrap_or_default()
+        .to_ascii_lowercase();
+    allowed_hosts
+        .iter()
+        .any(|allowed| allowed.eq_ignore_ascii_case(&host))
+}
+
 pub async fn logout(Extension(session): Extension<SessionHandle>) -> Response {
    session.write(|s| {
        s.user_id = None;