add check for //.* to prevent open redirect during oauth
This commit is contained in:
Colin Arnott
Jehiah Czebotar
parent
712739f777
commit
289a6ccf46
|
|
@ -490,7 +490,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
redirect := req.Form.Get("state")
|
redirect := req.Form.Get("state")
|
||||||
if !strings.HasPrefix(redirect, "/") {
|
if !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") {
|
||||||
redirect = "/"
|
redirect = "/"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -88,7 +88,7 @@ func (p *ProviderData) GetLoginURL(redirectURI, finalRedirect string) string {
|
||||||
params.Add("scope", p.Scope)
|
params.Add("scope", p.Scope)
|
||||||
params.Set("client_id", p.ClientID)
|
params.Set("client_id", p.ClientID)
|
||||||
params.Set("response_type", "code")
|
params.Set("response_type", "code")
|
||||||
if strings.HasPrefix(finalRedirect, "/") {
|
if strings.HasPrefix(finalRedirect, "/") && !strings.HasPrefix(finalRedirect,"//") {
|
||||||
params.Add("state", finalRedirect)
|
params.Add("state", finalRedirect)
|
||||||
}
|
}
|
||||||
a.RawQuery = params.Encode()
|
a.RawQuery = params.Encode()
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue