From 7d0371efdcabbadbaab4cf53df9b58d7f43e439d Mon Sep 17 00:00:00 2001 From: Robert Brennan Date: Thu, 27 Aug 2020 14:44:51 -0400 Subject: [PATCH] Update responder.go --- defaults/responder.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/defaults/responder.go b/defaults/responder.go index 3432450..514d174 100644 --- a/defaults/responder.go +++ b/defaults/responder.go @@ -77,6 +77,10 @@ func (r *Redirector) Redirect(w http.ResponseWriter, req *http.Request, ro authb func (r Redirector) redirectAPI(w http.ResponseWriter, req *http.Request, ro authboss.RedirectOptions) error { path := ro.RedirectPath redir := req.FormValue(r.FormValueName) + if strings.Contains(redir, "://") { + // Guard against Open Redirect: https://cwe.mitre.org/data/definitions/601.html + redir = "" + } if len(redir) != 0 && ro.FollowRedirParam { path = redir }