Add v2.38.3

azure-pipelines.yml

@@ -214,7 +214,6 @@ stages:
               ResourceGroupName: '$(ResourceGroup)'
               SlotName: '$(SlotNameStaging)'
               packageForLinux: '$(Pipeline.Workspace)\**\*.zip'
-              WebConfigParameters: '-Handler iisnode -NodeStartFile server.js -appType node'
               enableCustomDeployment: true
               DeploymentType: 'webDeploy'
               ExcludeFilesFromAppDataFlag: false
@@ -301,7 +300,6 @@ stages:
               ResourceGroupName: '$(ResourceGroup)'
               SlotName: '$(SlotNameStaging)'
               packageForLinux: '$(Pipeline.Workspace)\**\*.zip'
-              WebConfigParameters: '-Handler iisnode -NodeStartFile server.js -appType node'
               enableCustomDeployment: true
               DeploymentType: 'webDeploy'
               ExcludeFilesFromAppDataFlag: false

core/frontend/apps/private-blogging/lib/middleware.js

@@ -1,5 +1,4 @@
 const fs = require('fs-extra');
-const url = require('url');
 const session = require('cookie-session');
 const crypto = require('crypto');
 const path = require('path');
@@ -22,10 +21,14 @@ function verifySessionHash(salt, hash) {
 }
 
 function getRedirectUrl(query) {
-    const redirect = decodeURIComponent(query.r || '/');
-
     try {
-        return url.parse(redirect).pathname;
+        const redirect = decodeURIComponent(query.r || '/');
+        const pathname = new URL(redirect, config.get('url')).pathname;
+
+        const base = new URL(config.get('url'));
+        const target = new URL(pathname, config.get('url'));
+        // Make sure we don't redirect outside of the instance
+        return target.host === base.host ? pathname : '/';
     } catch (e) {
         return '/';
     }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "2.38.2",
+  "version": "2.38.3",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",