public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request from GHSA-qqxw-m5fj-f7gv 

check for /\ redirects
This commit is contained in:
David Stark 2020-01-29 12:37:58 +00:00 committed by GitHub
parent fc59a6d683 e21f09817e
commit a316f8a06f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -17,7 +17,7 @@
- DigitalOcean provider support added - DigitalOcean provider support added
## Important Notes ## Important Notes
N/A - (Security) Fix for open redirect vulnerability.. a bad actor using `/\` in redirect URIs can redirect a session to another domain
## Breaking Changes ## Breaking Changes

2
oauthproxy.go
View File

@ -558,7 +558,7 @@ func validOptionalPort(port string) bool {
// IsValidRedirect checks whether the redirect URL is whitelisted // IsValidRedirect checks whether the redirect URL is whitelisted
func (p *OAuthProxy) IsValidRedirect(redirect string) bool { func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
switch { switch {
case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"): case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") && !strings.HasPrefix(redirect, "/\\"):
return true return true
case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"): case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"):
redirectURL, err := url.Parse(redirect) redirectURL, err := url.Parse(redirect)