implicit/explicit redirect port matching

2025-06-15 00:15:00 +02:00 · 2019-10-12 23:47:23 +03:00
parent bfb22506ff
commit ae4e9155d2
2 changed files with 38 additions and 7 deletions
--- a/oauthproxy.go
+++ b/oauthproxy.go
@ -504,11 +504,27 @@ func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
 		if err != nil {
 			return false
 		}
+		redirectHostname := redirectURL.Hostname()
+
 		for _, domain := range p.whitelistDomains {
-			if (redirectURL.Hostname() == domain) || (strings.HasPrefix(domain, ".") && strings.HasSuffix(redirectURL.Hostname(), domain)) {
-				return true
+			domainURL := url.URL{
+				Host: strings.TrimLeft(domain, "."),
+			}
+			domainHostname := domainURL.Hostname()
+			if domainHostname == "" {
+				continue
+			}
+
+			if (redirectHostname == domainHostname) || (strings.HasPrefix(domain, ".") && strings.HasSuffix(redirectHostname, domainHostname)) {
+				// if the domain has a port, only allow that port
+				// otherwise allow any port
+				domainPort := domainURL.Port()
+				if (domainPort == "") || (domainPort == redirectURL.Port()) {
+					return true
+				}
 			}
 		}
+
 		return false
 	default:
 		return false