Skip to content

Commit

Permalink
Fix another open redirect issue
Browse files Browse the repository at this point in the history
  • Loading branch information
aarondl committed May 18, 2021
1 parent 572b566 commit 7939063
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 0 deletions.
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,12 @@
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

## [3.0.5] - 2021-05-18

- Fix an open redirect security issue. This is technically a breaking change
if you are redirecting to some other site or front-end that's not on your
server.

## [3.0.4] - 2021-04-27

### Changed
Expand Down
4 changes: 4 additions & 0 deletions defaults/responder.go
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,10 @@ func (r Redirector) redirectAPI(w http.ResponseWriter, req *http.Request, ro aut
func (r Redirector) redirectNonAPI(w http.ResponseWriter, req *http.Request, ro authboss.RedirectOptions) error {
path := ro.RedirectPath
redir := req.FormValue(r.FormValueName)
if strings.Contains(redir, "://") {
// Guard against Open Redirect: https://cwe.mitre.org/data/definitions/601.html
redir = ""
}
if len(redir) != 0 && ro.FollowRedirParam {
path = redir
}
Expand Down

0 comments on commit 7939063

Please sign in to comment.