Merge pull request bitly#194 from r4um/validate-state

jehiah · jehiah · commit d5a332c3f2de · 2016-01-19T10:21:32.000-05:00
Validate state param while redirecting.
diff --git a/oauthproxy.go b/oauthproxy.go
@@ -476,7 +476,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
 	}
 
 	redirect := req.Form.Get("state")
-	if redirect == "" {
+	if !strings.HasPrefix(redirect, "/") {
 		redirect = "/"
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -476,7 +476,7 @@ func (p OAuthProxy) OAuthCallback(rw http.ResponseWriter, req http.Request) {`
`476`	`476`	`}`
`477`	`477`
`478`	`478`	`redirect := req.Form.Get("state")`
`479`		`- if redirect == "" {`
	`479`	`+ if !strings.HasPrefix(redirect, "/") {`
`480`	`480`	`redirect = "/"`
`481`	`481`	`}`
`482`	`482`