Fix: dont allow allauth redirects to any host

src/paperless/adapter.py

@@ -1,4 +1,5 @@
 from allauth.account.adapter import DefaultAccountAdapter
+from allauth.core import context
 from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
 from django.conf import settings
 from django.urls import reverse
@@ -10,6 +11,21 @@ class CustomAccountAdapter(DefaultAccountAdapter):
         # Override with setting, otherwise default to super.
         return getattr(settings, "ACCOUNT_ALLOW_SIGNUPS", allow_signups)
 
+    def is_safe_url(self, url):
+        # see https://github.com/paperless-ngx/paperless-ngx/issues/5780
+        from django.utils.http import url_has_allowed_host_and_scheme
+
+        # get_host already validates the given host, so no need to check it again
+        allowed_hosts = {context.request.get_host()} | set(settings.ALLOWED_HOSTS)
+
+        if "*" in allowed_hosts:
+            # dont allow wildcard to allow urls from any host
+            allowed_hosts.remove("*")
+            allowed_hosts.add(context.request.get_host())
+            return url_has_allowed_host_and_scheme(url, allowed_hosts=allowed_hosts)
+
+        return url_has_allowed_host_and_scheme(url, allowed_hosts=allowed_hosts)
+
 
 class CustomSocialAccountAdapter(DefaultSocialAccountAdapter):
     def is_open_for_signup(self, request, sociallogin):

src/paperless/urls.py

@@ -193,6 +193,7 @@ urlpatterns = [
         RedirectView.as_view(
             url=settings.STATIC_URL + "frontend/en-US/assets/%(path)s",
         ),
+        # TODO: with localization, this is even worse! :/
     ),
     # App logo
     re_path(
@@ -200,7 +201,6 @@ urlpatterns = [
         serve,
         kwargs={"document_root": os.path.join(settings.MEDIA_ROOT, "logo")},
     ),
-    # TODO: with localization, this is even worse! :/
     # login, logout
     path("accounts/", include("allauth.urls")),
     # Root of the Frontend