add check for //.* to prevent open redirect during oauth

This commit is contained in:
Colin Arnott 2017-03-27 21:11:15 -04:00 committed by Jehiah Czebotar
parent 712739f777
commit 289a6ccf46
2 changed files with 2 additions and 2 deletions

View File

@ -490,7 +490,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
}
redirect := req.Form.Get("state")
if !strings.HasPrefix(redirect, "/") {
if !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") {
redirect = "/"
}

View File

@ -88,7 +88,7 @@ func (p *ProviderData) GetLoginURL(redirectURI, finalRedirect string) string {
params.Add("scope", p.Scope)
params.Set("client_id", p.ClientID)
params.Set("response_type", "code")
if strings.HasPrefix(finalRedirect, "/") {
if strings.HasPrefix(finalRedirect, "/") && !strings.HasPrefix(finalRedirect,"//") {
params.Add("state", finalRedirect)
}
a.RawQuery = params.Encode()