From 289a6ccf463a425c7606178c510fc5eeb9c8b050 Mon Sep 17 00:00:00 2001
From: Colin Arnott <arnottcr@gmail.com>
Date: Mon, 27 Mar 2017 21:11:15 -0400
Subject: [PATCH] add check for //.* to prevent open redirect during oauth

---
 oauthproxy.go                 | 2 +-
 providers/provider_default.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/oauthproxy.go b/oauthproxy.go
index 115e5628..75fbc9f9 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -490,7 +490,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
 	}
 
 	redirect := req.Form.Get("state")
-	if !strings.HasPrefix(redirect, "/") {
+	if !strings.HasPrefix(redirect, "/")  || strings.HasPrefix(redirect, "//") {
 		redirect = "/"
 	}
 
diff --git a/providers/provider_default.go b/providers/provider_default.go
index 82b73ec3..6b8ec401 100644
--- a/providers/provider_default.go
+++ b/providers/provider_default.go
@@ -88,7 +88,7 @@ func (p *ProviderData) GetLoginURL(redirectURI, finalRedirect string) string {
 	params.Add("scope", p.Scope)
 	params.Set("client_id", p.ClientID)
 	params.Set("response_type", "code")
-	if strings.HasPrefix(finalRedirect, "/") {
+	if strings.HasPrefix(finalRedirect, "/") && !strings.HasPrefix(finalRedirect,"//") {
 		params.Add("state", finalRedirect)
 	}
 	a.RawQuery = params.Encode()