go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-08-15 20:23:13 +02:00
Code Issues Releases Activity

Merge pull request from GHSA-qqxw-m5fj-f7gv

Browse Source 
check for /\ redirects
This commit is contained in:
David Stark
2020-01-29 12:37:58 +00:00
committed by GitHub
parent fc59a6d683 e21f09817e
commit a316f8a06f
2 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@@ -17,7 +17,7 @@
- DigitalOcean provider support added
## Important Notes
N/A
- (Security) Fix for open redirect vulnerability.. a bad actor using `/\` in redirect URIs can redirect a session to another domain
## Breaking Changes

2
oauthproxy.go
View File

@@ -558,7 +558,7 @@ func validOptionalPort(port string) bool {
// IsValidRedirect checks whether the redirect URL is whitelisted
func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
switch {
case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"):
case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") && !strings.HasPrefix(redirect, "/\\"):
return true
case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"):
redirectURL, err := url.Parse(redirect)