don't allow logins to the files domain; fixes #4726 and gh issue 23

Change-Id: Ia292e4c8a375e1eb61f812aed8d6fe8b3d83c901
Reviewed-on: https://gerrit.instructure.com/3914
Tested-by: Hudson <hudson@instructure.com>
Reviewed-by: Jon Jensen <jon@instructure.com>
Reviewed-by: Brian Palmer <brianp@instructure.com>

app/controllers/pseudonym_sessions_controller.rb

@@ -18,7 +18,8 @@
 
 class PseudonymSessionsController < ApplicationController
   protect_from_forgery :except => [:create, :destroy, :saml_consume]
-  
+  before_filter :forbid_on_files_domain, :except => [ :clear_file_session ]
+
   def new
     if @current_user && !params[:re_login]
       redirect_to dashboard_url
@@ -293,5 +294,12 @@ class PseudonymSessionsController < ApplicationController
       config = { :cas_base_url => @domain_root_account.account_authorization_config.auth_base }
       @cas_client = CASClient::Client.new(config)
   end
-  
+
+  def forbid_on_files_domain
+    if HostUrl.is_file_host?(request.host)
+      reset_session
+      return redirect_to dashboard_url(:host => HostUrl.default_host)
+    end
+    true
+  end
 end

lib/host_url.rb

@@ -59,5 +59,10 @@ class HostUrl
     def default_host=(val)
       @@default_host = val
     end
+    
+    def is_file_host?(domain)
+      safer_host = file_host(Account.default)
+      safer_host != default_host && domain == safer_host
+    end
   end
 end

spec/integration/security_spec.rb

@@ -189,6 +189,15 @@ describe "security" do
     end
   end
 
+  it "should not allow logins to safefiles domains" do
+    HostUrl.stub!(:file_host).and_return('files-test.host')
+    HostUrl.stub!(:default_host).and_return('test.host')
+    get "http://files-test.host/login"
+    response.should be_redirect
+    uri = URI.parse response['Location']
+    uri.host.should == 'test.host'
+  end
+
   class Basic
     extend ActionController::HttpAuthentication::Basic
   end