From 6f5f3d8ca7df3d355eaff9add1b829d9b5650f2a Mon Sep 17 00:00:00 2001
From: Ben Busby <noreply+git@benbusby.com>
Date: Sun, 21 Nov 2021 23:21:04 -0700
Subject: [PATCH] Fix incorrect redirect protocol used by Flask

Flask's `request.url` uses `http` as the protocol, which breaks
instances that enforce `https`, since the session redirect relies on
`request.url` for the follow-through URL.

This introduces a new method for determining the correct URL to use for
these redirects by automatically replacing the protocol with `https` if
the `HTTPS_ONLY` env var is set for that instance.

Fixes #538

Fixes #545
---
 app/routes.py     | 10 ++++------
 app/utils/misc.py |  7 +++++++
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/app/routes.py b/app/routes.py
index e85bb50..406d33e 100644
--- a/app/routes.py
+++ b/app/routes.py
@@ -14,7 +14,7 @@ from app.models.config import Config
 from app.models.endpoint import Endpoint
 from app.request import Request, TorError
 from app.utils.bangs import resolve_bang
-from app.utils.misc import read_config_bool, get_client_ip
+from app.utils.misc import read_config_bool, get_client_ip, get_request_url
 from app.utils.results import add_ip_card
 from app.utils.results import bold_search_terms
 from app.utils.search import *
@@ -120,7 +120,7 @@ def before_request_func():
             return redirect(url_for(
                 'session_check',
                 session_id=session['uuid'],
-                follow=request.url), code=307)
+                follow=get_request_url(request.url)), code=307)
         else:
             g.user_config = Config(**session['config'])
     elif 'cookies_disabled' not in request.args:
@@ -134,13 +134,11 @@ def before_request_func():
         g.user_config = Config(**default_config)
 
     if not g.user_config.url:
-        g.user_config.url = request.url_root.replace(
-            'http://',
-            'https://') if os.getenv('HTTPS_ONLY', False) else request.url_root
+        g.user_config.url = get_request_url(request.url_root)
 
     g.user_request = Request(
         request.headers.get('User-Agent'),
-        request.url_root,
+        get_request_url(request.url_root),
         config=g.user_config)
 
     g.app_location = g.user_config.url
diff --git a/app/utils/misc.py b/app/utils/misc.py
index 6ce029a..7f1f67b 100644
--- a/app/utils/misc.py
+++ b/app/utils/misc.py
@@ -23,3 +23,10 @@ def get_client_ip(r: Request) -> str:
         return r.environ['REMOTE_ADDR']
     else:
         return r.environ['HTTP_X_FORWARDED_FOR']
+
+
+def get_request_url(url: str) -> str:
+    if os.getenv('HTTPS_ONLY', False):
+        return url.replace('http://', 'https://', 1)
+
+    return url