diff --git a/x/http_secure_redirect.go b/x/http_secure_redirect.go index 8be06b07e534..b298b14e18cb 100644 --- a/x/http_secure_redirect.go +++ b/x/http_secure_redirect.go @@ -87,7 +87,7 @@ func SecureRedirectTo(r *http.Request, defaultReturnTo *url.URL, opts ...SecureR if len(source.Query().Get("return_to")) == 0 { return o.defaultReturnTo, nil - } else if returnTo, err = url.ParseRequestURI(source.Query().Get("return_to")); err != nil { + } else if returnTo, err = url.Parse(source.Query().Get("return_to")); err != nil { return nil, herodot.ErrInternalServerError.WithWrap(err).WithReasonf("Unable to parse the return_to query parameter as an URL: %s", err) } diff --git a/x/http_secure_redirect_test.go b/x/http_secure_redirect_test.go index 234c5630ee83..8596951f28b9 100644 --- a/x/http_secure_redirect_test.go +++ b/x/http_secure_redirect_test.go @@ -143,6 +143,14 @@ func TestSecureRedirectTo(t *testing.T) { return res, string(body) } + t.Run("case=return to a relative path with anchor works", func(t *testing.T) { + s := newServer(t, false, true, false, func(ts *httptest.Server) []x.SecureRedirectOption { + return []x.SecureRedirectOption{x.SecureRedirectAllowURLs([]url.URL{*urlx.ParseOrPanic("/foo")})} + }) + _, body := makeRequest(t, s, "?return_to=/foo/kratos%23abcd") + assert.Equal(t, body, "/foo/kratos#abcd") + }) + t.Run("case=return to default URL if nothing is allowed", func(t *testing.T) { s := newServer(t, false, false, false, nil) _, body := makeRequest(t, s, "?return_to=/foo")