fix: URL with hash sign in after_verification_return_to stays encoded (…

…#2173) Fixes #2068
ory · Jan 31, 2022 · fef2953 · fef2953
1 parent e3773e0
commit fef2953
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/x/http_secure_redirect.go b/x/http_secure_redirect.go
@@ -87,7 +87,7 @@ func SecureRedirectTo(r *http.Request, defaultReturnTo *url.URL, opts ...SecureR
 
 	if len(source.Query().Get("return_to")) == 0 {
 		return o.defaultReturnTo, nil
-	} else if returnTo, err = url.ParseRequestURI(source.Query().Get("return_to")); err != nil {
+	} else if returnTo, err = url.Parse(source.Query().Get("return_to")); err != nil {
 		return nil, herodot.ErrInternalServerError.WithWrap(err).WithReasonf("Unable to parse the return_to query parameter as an URL: %s", err)
 	}
 

diff --git a/x/http_secure_redirect_test.go b/x/http_secure_redirect_test.go
@@ -143,6 +143,14 @@ func TestSecureRedirectTo(t *testing.T) {
 		return res, string(body)
 	}
 
+	t.Run("case=return to a relative path with anchor works", func(t *testing.T) {
+		s := newServer(t, false, true, false, func(ts *httptest.Server) []x.SecureRedirectOption {
+			return []x.SecureRedirectOption{x.SecureRedirectAllowURLs([]url.URL{*urlx.ParseOrPanic("/foo")})}
+		})
+		_, body := makeRequest(t, s, "?return_to=/foo/kratos%23abcd")
+		assert.Equal(t, body, "/foo/kratos#abcd")
+	})
+
 	t.Run("case=return to default URL if nothing is allowed", func(t *testing.T) {
 		s := newServer(t, false, false, false, nil)
 		_, body := makeRequest(t, s, "?return_to=/foo")