Merge branch 'rbren/patch-1' into master

volatiletech · Sep 18, 2020 · 0a2c2aa · 0a2c2aa
2 parents ecd0e44 + 7d0371e
commit 0a2c2aa
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/defaults/responder.go b/defaults/responder.go
@@ -77,6 +77,10 @@ func (r *Redirector) Redirect(w http.ResponseWriter, req *http.Request, ro authb
 func (r Redirector) redirectAPI(w http.ResponseWriter, req *http.Request, ro authboss.RedirectOptions) error {
 	path := ro.RedirectPath
 	redir := req.FormValue(r.FormValueName)
+	if strings.Contains(redir, "://") {
+		// Guard against Open Redirect: https://cwe.mitre.org/data/definitions/601.html
+		redir = ""
+	}
 	if len(redir) != 0 && ro.FollowRedirParam {
 		path = redir
 	}