SEC-53 don't backto to external urls (#374)

viamrobotics · Oct 22, 2024 · 25570d0 · 25570d0
1 parent 56b97fc
commit 25570d0
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/web/auth.go b/web/auth.go
@@ -527,8 +527,15 @@ func (h *loginHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	})
 
 	if r.FormValue("backto") != "" {
-		session.Data["backto"] = r.FormValue("backto")
+		backto := r.FormValue("backto")
+
+		// to prevent redirecting to an external URL we only set the session data when we fail to parse backto
+		_, err := url.ParseRequestURI(backto)
+		if err != nil {
+			session.Data["backto"] = backto
+		}
 	}
+
 	if session.Data["backto"] == "" {
 		session.Data["backto"] = r.Header.Get("Referer")
 	}