go/authboss
1
0
Fork 0
mirror of https://github.com/volatiletech/authboss.git synced 2024-11-28 08:58:38 +02:00
Code Issues Releases Activity

Fix another open redirect issue

Browse Source
This commit is contained in:
Aaron L 2021-05-18 00:18:27 -07:00
parent 572b56619e
commit 7939063139
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG.md
View File

@ -3,6 +3,12 @@
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/) The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html). and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
## [3.0.5] - 2021-05-18
- Fix an open redirect security issue. This is technically a breaking change
if you are redirecting to some other site or front-end that's not on your
server.
## [3.0.4] - 2021-04-27 ## [3.0.4] - 2021-04-27
### Changed ### Changed

4
defaults/responder.go
View File

@ -127,6 +127,10 @@ func (r Redirector) redirectAPI(w http.ResponseWriter, req *http.Request, ro aut
func (r Redirector) redirectNonAPI(w http.ResponseWriter, req *http.Request, ro authboss.RedirectOptions) error { func (r Redirector) redirectNonAPI(w http.ResponseWriter, req *http.Request, ro authboss.RedirectOptions) error {
path := ro.RedirectPath path := ro.RedirectPath
redir := req.FormValue(r.FormValueName) redir := req.FormValue(r.FormValueName)
if strings.Contains(redir, "://") {
// Guard against Open Redirect: https://cwe.mitre.org/data/definitions/601.html
redir = ""
}
if len(redir) != 0 && ro.FollowRedirParam { if len(redir) != 0 && ro.FollowRedirParam {
path = redir path = redir
} }