Merge pull request from GHSA-qqxw-m5fj-f7gv

check for /\ redirects
oauth2-proxy · Jan 29, 2020 · a316f8a · a316f8a
2 parents fc59a6d + e21f098
commit a316f8a
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,7 +17,7 @@
 - DigitalOcean provider support added
 
 ## Important Notes
-N/A
+- (Security) Fix for open redirect vulnerability..  a bad actor using `/\` in redirect URIs can redirect a session to another domain
 
 ## Breaking Changes
 

diff --git a/oauthproxy.go b/oauthproxy.go
@@ -558,7 +558,7 @@ func validOptionalPort(port string) bool {
 // IsValidRedirect checks whether the redirect URL is whitelisted
 func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
 	switch {
-	case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"):
+	case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") && !strings.HasPrefix(redirect, "/\\"):
 		return true
 	case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"):
 		redirectURL, err := url.Parse(redirect)