We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
2 parents ecd0e44 + 7d0371e commit 0a2c2aaCopy full SHA for 0a2c2aa
1 file changed
defaults/responder.go
@@ -77,6 +77,10 @@ func (r *Redirector) Redirect(w http.ResponseWriter, req *http.Request, ro authb
77
func (r Redirector) redirectAPI(w http.ResponseWriter, req *http.Request, ro authboss.RedirectOptions) error {
78
path := ro.RedirectPath
79
redir := req.FormValue(r.FormValueName)
80
+ if strings.Contains(redir, "://") {
81
+ // Guard against Open Redirect: https://cwe.mitre.org/data/definitions/601.html
82
+ redir = ""
83
+ }
84
if len(redir) != 0 && ro.FollowRedirParam {
85
path = redir
86
}
0 commit comments