Skip to content
This repository has been archived by the owner on Nov 5, 2024. It is now read-only.

Commit

Permalink
Backport fix for open redirects from upstream project
Browse files Browse the repository at this point in the history
  • Loading branch information
@fschaefer
fschaefer committed Oct 26, 2023
1 parent 1d52c9f commit f3e0c3f
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 2 deletions.
8 changes: 7 additions & 1 deletion oauthproxy.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,12 @@ var SignatureHeaders []string = []string{
"Gap-Auth",
}

var (
// Used to check final redirects are not susceptible to open redirects.
// Matches //, /\ and both of these with whitespace in between (eg / / or / \).
invalidRedirectRegex = regexp.MustCompile(`[/\\](?:[\s\v]*|\.{1,2})[/\\]`)
)

type OAuthProxy struct {
CookieSeed string
CookieName string
Expand Down Expand Up @@ -422,7 +428,7 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error)
}

redirect = req.Form.Get("rd")
if redirect == "" || !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") {
if redirect == "" || !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") || invalidRedirectRegex.MatchString(redirect) {
redirect = "/"
}

Expand Down
2 changes: 1 addition & 1 deletion version.go
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
package main

const VERSION = "2.2.2-securepoint"
const VERSION = "2.2.3-securepoint"

1 comment on commit f3e0c3f

@Primexz
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥳

Please sign in to comment.