apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

[release-11.4.4] [IAM] Prepend AppSubURL to redirectURI before validating it (#104084)

Browse Source 
[IAM] Prepend AppSubURL to redirectURI before validating it (#103475)

(cherry picked from commit 5053aa576d)
pull/104094/head
xavi 8 months ago committed by GitHub
parent 77bd0082d1
commit 1285f8ca5a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 3 additions and 3 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 4
      pkg/api/user_token.go
  2. 2
      pkg/services/authn/authn.go

4
pkg/api/user_token.go
Unescape View File

@ -88,11 +88,11 @@ func (hs *HTTPServer) RotateUserAuthTokenRedirect(c *contextmodel.ReqContext) re
return response.Redirect(hs.GetRedirectURL(c)) return response.Redirect(hs.GetRedirectURL(c))
} }
redirectTo := c.Query("redirectTo") redirectTo := hs.Cfg.AppSubURL + c.Query("redirectTo")
if err := hs.ValidateRedirectTo(redirectTo); err != nil { if err := hs.ValidateRedirectTo(redirectTo); err != nil {
return response.Redirect(hs.Cfg.AppSubURL + "/") return response.Redirect(hs.Cfg.AppSubURL + "/")
} }
return response.Redirect(hs.Cfg.AppSubURL + redirectTo) return response.Redirect(redirectTo)
} }
// swagger:route POST /user/auth-tokens/rotate // swagger:route POST /user/auth-tokens/rotate

2
pkg/services/authn/authn.go
Unescape View File

@ -281,7 +281,7 @@ func handleLogin(r *http.Request, w http.ResponseWriter, cfg *setting.Cfg, ident
scopedRedirectToCookie, err := r.Cookie(redirectToCookieName) scopedRedirectToCookie, err := r.Cookie(redirectToCookieName)
if err == nil { if err == nil {
redirectTo, _ := url.QueryUnescape(scopedRedirectToCookie.Value) redirectTo, _ := url.QueryUnescape(scopedRedirectToCookie.Value)
if redirectTo != "" && validator(redirectTo) == nil { if redirectTo != "" && validator(cfg.AppSubURL+redirectTo) == nil {
redirectURL = cfg.AppSubURL + redirectTo redirectURL = cfg.AppSubURL + redirectTo
} }
cookies.DeleteCookie(w, redirectToCookieName, cookieOptions(cfg)) cookies.DeleteCookie(w, redirectToCookieName, cookieOptions(cfg))

Write Preview
Loading…
Cancel
Save