From b9db9ff3e7ad01ee1db611257e5eaeeb978e35a9 Mon Sep 17 00:00:00 2001 From: jisangs Date: Sun, 5 Jul 2026 00:49:50 +0900 Subject: [PATCH] =?UTF-8?q?callbackUrl=20=EC=99=B8=EB=B6=80=20=EB=8F=84?= =?UTF-8?q?=EB=A9=94=EC=9D=B8=20=EB=A6=AC=EB=8B=A4=EC=9D=B4=EB=A0=89?= =?UTF-8?q?=ED=8A=B8=20=EC=B0=A8=EB=8B=A8,=20=ED=99=98=EA=B2=BD=EB=B3=84?= =?UTF-8?q?=20=EC=84=B8=EC=85=98=20=EC=BF=A0=ED=82=A4=20=EC=9D=B4=EB=A6=84?= =?UTF-8?q?=20=EB=B6=84=EB=A6=AC?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/(auth)/login/actions.ts | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/app/(auth)/login/actions.ts b/app/(auth)/login/actions.ts index 0288193..191391f 100644 --- a/app/(auth)/login/actions.ts +++ b/app/(auth)/login/actions.ts @@ -5,8 +5,20 @@ import { redirect } from "next/navigation"; import { signIn } from "@/auth"; +function sanitizeCallbackUrl(raw: string): string { + try { + const parsed = new URL(raw, "http://x"); + if (parsed.origin !== "http://x") return "/"; + } catch { + return "/"; + } + return raw.startsWith("/") ? raw : "/"; +} + export async function loginAction(formData: FormData) { - const callbackUrl = String(formData.get("callbackUrl") ?? "/"); + const callbackUrl = sanitizeCallbackUrl( + String(formData.get("callbackUrl") ?? "/") + ); try { await signIn("credentials", {