cristiancmoises
/
gophish
mirror of https://github.com/gophish/gophish
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix open redirect vulnerability on the login page (#2262)

pull/2401/head
Kirill 2022-02-16 18:26:51 +02:00 committed by GitHub
parent e215132bdf
commit 67e304f372
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
controllers/route.go
View File

@ -7,6 +7,7 @@ import (
"html/template" "html/template"
"net/http" "net/http"
"net/url" "net/url"
"strings"
"time" "time"
"github.com/NYTimes/gziphandler" "github.com/NYTimes/gziphandler"
@ -296,9 +297,9 @@ func (as *AdminServer) nextOrIndex(w http.ResponseWriter, r *http.Request) {
next := "/" next := "/"
url, err := url.Parse(r.FormValue("next")) url, err := url.Parse(r.FormValue("next"))
if err == nil { if err == nil {
path := url.Path path := url.EscapedPath()
if path != "" { if path != "" {
next = path next = "/" + strings.TrimLeft(path, "/")
} }
} }
http.Redirect(w, r, next, http.StatusFound) http.Redirect(w, r, next, http.StatusFound)