From e7587d5ce66ebdc736b288bf496ca2a6e0d95620 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Mon, 2 Nov 2020 19:36:14 -0800
Subject: [PATCH] dev/core#2141 - AuthorizationCode - Validate that the final
 return URL is internal

---
 .../Action/OAuthClient/AuthorizationCode.php  | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/ext/oauth-client/Civi/Api4/Action/OAuthClient/AuthorizationCode.php b/ext/oauth-client/Civi/Api4/Action/OAuthClient/AuthorizationCode.php
index 8accac29c1..f9c896a5b0 100644
--- a/ext/oauth-client/Civi/Api4/Action/OAuthClient/AuthorizationCode.php
+++ b/ext/oauth-client/Civi/Api4/Action/OAuthClient/AuthorizationCode.php
@@ -3,6 +3,7 @@
 namespace Civi\Api4\Action\OAuthClient;
 
 use Civi\Api4\Generic\Result;
+use Civi\OAuth\OAuthException;
 
 /**
  * Class AuthorizationCode
@@ -86,6 +87,27 @@ class AuthorizationCode extends AbstractGrantAction {
     ];
   }
 
+  protected function validate() {
+    parent::validate();
+    if ($this->landingUrl) {
+      $landingUrlParsed = parse_url($this->landingUrl);
+      $landingUrlIp = gethostbyname($landingUrlParsed['host']);
+      $allowedBases = [
+        \Civi::paths()->getVariable('cms.root', 'url'),
+        \Civi::paths()->getVariable('civicrm.root', 'url'),
+      ];
+      $ok = max(array_map(function($allowed) use ($landingUrlParsed, $landingUrlIp) {
+        $allowedParsed = parse_url($allowed);
+        $allowedIp = gethostbyname($allowedParsed['host']);
+        $ok = $landingUrlIp === $allowedIp && $landingUrlParsed['scheme'] == $allowedParsed['scheme'];
+        return (int) $ok;
+      }, $allowedBases));
+      if (!$ok) {
+        throw new OAuthException("Cannot initiate OAuth. Unsupported landing URL.");
+      }
+    }
+  }
+
   /**
    * Call a protected method.
    *
-- 
2.25.1