From 7939063139d9670b22d1c920d7e4fd451db0277e Mon Sep 17 00:00:00 2001
From: Aaron L <aaron@intensifying.dev>
Date: Tue, 18 May 2021 00:18:27 -0700
Subject: [PATCH] Fix another open redirect issue

---
 CHANGELOG.md          | 6 ++++++
 defaults/responder.go | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9464ca1..06f4ca0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,12 @@
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [3.0.5] - 2021-05-18
+
+- Fix an open redirect security issue. This is technically a breaking change
+  if you are redirecting to some other site or front-end that's not on your
+  server.
+
 ## [3.0.4] - 2021-04-27
 
 ### Changed
diff --git a/defaults/responder.go b/defaults/responder.go
index 514d174..c98d53c 100644
--- a/defaults/responder.go
+++ b/defaults/responder.go
@@ -127,6 +127,10 @@ func (r Redirector) redirectAPI(w http.ResponseWriter, req *http.Request, ro aut
 func (r Redirector) redirectNonAPI(w http.ResponseWriter, req *http.Request, ro authboss.RedirectOptions) error {
 	path := ro.RedirectPath
 	redir := req.FormValue(r.FormValueName)
+	if strings.Contains(redir, "://") {
+		// Guard against Open Redirect: https://cwe.mitre.org/data/definitions/601.html
+		redir = ""
+	}
 	if len(redir) != 0 && ro.FollowRedirParam {
 		path = redir
 	}