login: Don't redirect to external resources

fixes #4945

application/controllers/AuthenticationController.php

@@ -68,7 +68,18 @@ public function loginAction()
             // Call provided AuthenticationHook(s) when login action is called
             // but icinga web user is already authenticated
             AuthenticationHook::triggerLogin($this->Auth()->getUser());
-            $this->redirectNow($this->params->get('redirect', $form->getRedirectUrl()));
+
+            $redirect = $this->params->get('redirect');
+            if ($redirect) {
+                $redirectUrl = Url::fromPath($redirect, [], $this->getRequest());
+                if ($redirectUrl->isExternal()) {
+                    $this->httpBadRequest('nope');
+                }
+            } else {
+                $redirectUrl = $form->getRedirectUrl();
+            }
+
+            $this->redirectNow($redirectUrl);
         }
         if (! $requiresSetup) {
             $cookies = new CookieHelper($this->getRequest());

application/forms/Authentication/LoginForm.php

@@ -10,6 +10,7 @@
 use Icinga\Authentication\Auth;
 use Icinga\Authentication\User\ExternalBackend;
 use Icinga\Common\Database;
+use Icinga\Exception\Http\HttpBadRequestException;
 use Icinga\User;
 use Icinga\Web\Form;
 use Icinga\Web\RememberMe;
@@ -119,10 +120,17 @@ public function getRedirectUrl()
         if ($this->created) {
             $redirect = $this->getElement('redirect')->getValue();
         }
+
         if (empty($redirect) || strpos($redirect, 'authentication/logout') !== false) {
             $redirect = static::REDIRECT_URL;
         }
-        return Url::fromPath($redirect);
+
+        $redirectUrl = Url::fromPath($redirect);
+        if ($redirectUrl->isExternal()) {
+            throw new HttpBadRequestException('nope');
+        }
+
+        return $redirectUrl;
     }
 
     /**