fix: limit schemes for proton oauth (#2428)

2025-09-08 15:44:21 +08:00 · 2025-03-27 09:57:04 +01:00 · 2025-03-27 09:57:04 +01:00 · 2c1abd05fa
commit 2c1abd05fa
parent 29a6350299
2 changed files with 5 additions and 0 deletions
--- a/app/auth/views/proton.py
+++ b/app/auth/views/proton.py
@ -15,6 +15,7 @@ from app.config import (
    PROTON_EXTRA_HEADER_VALUE,
    PROTON_VALIDATE_CERTS,
    URL,
+    ALLOWED_OAUTH_SCHEMES,
 )
 from app.log import LOG
 from app.models import ApiKey, User
@ -88,6 +89,9 @@ def proton_login():

    scheme = sanitize_scheme(request.args.get("scheme"))
    if scheme:
+        if scheme not in ALLOWED_OAUTH_SCHEMES:
+            flash("Bad OAuth request", "error")
+            return redirect(url_for("auth.login"))
        session["oauth_scheme"] = scheme
    elif "oauth_scheme" in session:
        del session["oauth_scheme"]
--- a/app/config.py
+++ b/app/config.py
@ -684,3 +684,4 @@ MAILBOX_VERIFICATION_OVERRIDE_CODE: Optional[str] = os.environ.get(

 AUDIT_LOG_MAX_DAYS = int(os.environ.get("AUDIT_LOG_MAX_DAYS", 30))
 ALIAS_TRASH_DAYS = int(os.environ.get("ALIAS_TRASH_DAYS", 30))
+ALLOWED_OAUTH_SCHEMES = get_env_csv("ALLOWED_OAUTH_SCHEMES", "auth.simplelogin,https")