Merge pull request #257 from voidz0r/dev

Fixing issue #256 - Open Redirect vulnerability
italia · Mar 23, 2023 · 8881b2b · 8881b2b
2 parents f30f978 + e32f349
commit 8881b2b
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/spid_cie_oidc/provider/views/consent_page_view.py b/spid_cie_oidc/provider/views/consent_page_view.py
@@ -1,6 +1,7 @@
 import logging
 from django.core.paginator import Paginator
 import urllib.parse
+from urllib.parse import urlparse
 
 from djagger.decorators import schema
 from django.contrib.auth import logout
@@ -95,7 +96,7 @@ def post(self, request, *args, **kwargs):
 
 
 def oidc_provider_not_consent(request):
-    redirect_uri = request.GET.get("redirect_uri")
+    redirect_uri = urlparse(request.GET.get("redirect_uri"))
     state = request.GET.get("state", "")
     logout(request)
     kwargs = dict(
@@ -105,7 +106,7 @@ def oidc_provider_not_consent(request):
         ),
         state = state
     )
-    url = f'{redirect_uri}?{urllib.parse.urlencode(kwargs)}'
+    url = f'{redirect_uri.path if redirect_uri.path else "/"}?{urllib.parse.urlencode(kwargs)}'
     return HttpResponseRedirect(url)