Fix another open redirect issue

2024-11-24 08:42:17 +02:00 · 2021-05-18 00:18:27 -07:00 · 2021-05-18 00:18:27 -07:00 · 7939063139
commit 7939063139
parent 572b56619e
2 changed files with 10 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,12 @@
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).

+## [3.0.5] - 2021-05-18
+
+- Fix an open redirect security issue. This is technically a breaking change
+  if you are redirecting to some other site or front-end that's not on your
+  server.
+
 ## [3.0.4] - 2021-04-27

 ### Changed
--- a/defaults/responder.go
+++ b/defaults/responder.go
@ -127,6 +127,10 @@ func (r Redirector) redirectAPI(w http.ResponseWriter, req *http.Request, ro aut
 func (r Redirector) redirectNonAPI(w http.ResponseWriter, req *http.Request, ro authboss.RedirectOptions) error {
 	path := ro.RedirectPath
 	redir := req.FormValue(r.FormValueName)
+	if strings.Contains(redir, "://") {
+		// Guard against Open Redirect: https://cwe.mitre.org/data/definitions/601.html
+		redir = ""
+	}
 	if len(redir) != 0 && ro.FollowRedirParam {
 		path = redir
 	}