Merge pull request #359 from jehiah/redirect_check_359

Improve redirect checks
bitly · Mar 29, 2017 · 86d0832 · 86d0832
2 parents 712739f + 289a6cc
commit 86d0832
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/oauthproxy.go b/oauthproxy.go
@@ -490,7 +490,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
 	}
 
 	redirect := req.Form.Get("state")
-	if !strings.HasPrefix(redirect, "/") {
+	if !strings.HasPrefix(redirect, "/")  || strings.HasPrefix(redirect, "//") {
 		redirect = "/"
 	}
 

diff --git a/providers/provider_default.go b/providers/provider_default.go
@@ -88,7 +88,7 @@ func (p *ProviderData) GetLoginURL(redirectURI, finalRedirect string) string {
 	params.Add("scope", p.Scope)
 	params.Set("client_id", p.ClientID)
 	params.Set("response_type", "code")
-	if strings.HasPrefix(finalRedirect, "/") {
+	if strings.HasPrefix(finalRedirect, "/") && !strings.HasPrefix(finalRedirect,"//") {
 		params.Add("state", finalRedirect)
 	}
 	a.RawQuery = params.Encode()