Skip to content
Permalink
Browse files Browse the repository at this point in the history
account: Prevent open redirects after login
  • Loading branch information
kschiffer committed Feb 6, 2023
1 parent aaf89d9 commit f067760
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 0 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Expand Up @@ -26,6 +26,8 @@ For details about compatibility between different releases, see the **Commitment

### Security

- Fix open redirect vulnerability for Console/Account App logins.

## [3.24.0] - 2023-02-02

### Added
Expand Down
5 changes: 5 additions & 0 deletions pkg/webui/account/views/login/index.js
Expand Up @@ -72,6 +72,11 @@ const url = (location, omitQuery = false) => {
return next.split('?')[0]
}

// Only allow relative redirects to prevent open redirects.
if (!next.startsWith('/') || next.startsWith('//')) {
return appRoot
}

return next
}

Expand Down

0 comments on commit f067760

Please sign in to comment.