Merge branch 'rbren/patch-1' into master

2025-01-22 05:09:42 +02:00 · 2020-09-17 22:06:48 -07:00 · 2020-09-17 22:06:48 -07:00 · 0a2c2aafa0
commit 0a2c2aafa0
parent ecd0e44e0b 7d0371efdc
1 changed files with 4 additions and 0 deletions
--- a/defaults/responder.go
+++ b/defaults/responder.go
@ -77,6 +77,10 @@ func (r *Redirector) Redirect(w http.ResponseWriter, req *http.Request, ro authb
 func (r Redirector) redirectAPI(w http.ResponseWriter, req *http.Request, ro authboss.RedirectOptions) error {
 	path := ro.RedirectPath
 	redir := req.FormValue(r.FormValueName)
+	if strings.Contains(redir, "://") {
+		// Guard against Open Redirect: https://cwe.mitre.org/data/definitions/601.html
+		redir = ""
+	}
 	if len(redir) != 0 && ro.FollowRedirParam {
 		path = redir
 	}