'/' redirect check isn't enough. #228

sdier · 2016-03-26T16:07:36Z

'//foo.com/foo' is a valid url, so the redirect check at oauthproxy.go:479 is not sufficient for its intent.

Since I'm using this hole to redirect to other domains within a set of subdomains -- it would be cool if this was somehow preserved so I can have a partially open redirect. (I'm using an 'auth' domain and redirect to it from other domains and then redirect back while using the nginx aut -- I plan on writing up the configuration soon for others to use.)

rcoup · 2016-05-31T10:47:48Z

@sdier can you share the config briefly?

jehiah added the bug label Mar 23, 2017

jehiah self-assigned this Mar 29, 2017

jehiah mentioned this issue Mar 29, 2017

Improve redirect checks #359

Merged

jehiah closed this as completed in #359 Mar 29, 2017

ploxiln mentioned this issue Jun 1, 2017

Support for a whitelist of --redirect-domains #399

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

'/' redirect check isn't enough. #228

'/' redirect check isn't enough. #228

sdier commented Mar 26, 2016

rcoup commented May 31, 2016

'/' redirect check isn't enough. #228

'/' redirect check isn't enough. #228

Comments

sdier commented Mar 26, 2016

rcoup commented May 31, 2016