habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

outposts/proxy: correctly check host in forward domain redirect

Browse Source 
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1997
This commit is contained in:
Jens Langhammer
2022-02-15 14:58:19 +01:00
parent 0101368369
commit 5d8c1aa0b0
2 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
internal/outpost/proxyv2/application/oauth.go
View File

@ -29,11 +29,12 @@ func (a *Application) checkRedirectParam(r *http.Request) (string, bool) {
// Check to make sure we only redirect to allowed places
if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
if !strings.Contains(u.String(), a.proxyConfig.ExternalHost) {
a.log.Warning("redirect URI did not contain external host")
a.log.WithField("url", u.String()).WithField("ext", a.proxyConfig.ExternalHost).Warning("redirect URI did not contain external host")
return "", false
}
} else {
if !strings.HasSuffix(rd, *a.proxyConfig.CookieDomain) {
if !strings.HasSuffix(u.Host, *a.proxyConfig.CookieDomain) {
a.log.WithField("host", u.Host).WithField("dom", *a.proxyConfig.CookieDomain).Warning("redirect URI Host was not included in cookie domain")
return "", false
}
}