Merge commit from fork

fengmk2 · web-flow · commit 422c551c63d0 · 2025-07-27T15:25:47.000+08:00
GHSA-jgmv-j7ww-jx2x close #1892
diff --git a/__tests__/response/back.test.js b/__tests__/response/back.test.js
@@ -12,6 +12,22 @@ describe('ctx.back([alt])', () => {
     assert.equal(ctx.response.header.location, '/login')
   })
 
+  it('should redirect to the same origin referrer', () => {
+    const ctx = context()
+    ctx.req.headers.host = 'example.com'
+    ctx.req.headers.referrer = 'https://example.com/login'
+    ctx.back()
+    assert.equal(ctx.response.header.location, 'https://example.com/login')
+  })
+
+  it('should redirect to root if the same origin referrer is not present', () => {
+    const ctx = context()
+    ctx.req.headers.host = 'example.com'
+    ctx.req.headers.referrer = 'https://other.com/login'
+    ctx.back()
+    assert.equal(ctx.response.header.location, '/')
+  })
+
   it('should redirect to Referer', () => {
     const ctx = context()
     ctx.req.headers.referer = '/login'
diff --git a/lib/response.js b/lib/response.js
@@ -320,8 +320,24 @@ module.exports = {
    */
 
   back (alt) {
-    const url = this.ctx.get('Referrer') || alt || '/'
-    this.redirect(url)
+    const referrer = this.ctx.get('Referrer')
+    if (referrer) {
+      // referrer is a relative path
+      if (referrer.startsWith('/')) {
+        this.redirect(referrer)
+        return
+      }
+
+      // referrer is an absolute URL, check if it's the same origin
+      const url = new URL(referrer, this.ctx.href)
+      if (url.host === this.ctx.host) {
+        this.redirect(referrer)
+        return
+      }
+    }
+
+    // no referrer, use alt or '/'
+    this.redirect(alt || '/')
   },
 
   /**
