From 2984ed9ac0063593da972acaa6b54c2f5eeea190 Mon Sep 17 00:00:00 2001
From: Martin Boehm <martin.boehm@1mbsoftware.net>
Date: Tue, 25 Jan 2022 17:56:38 +0100
Subject: [PATCH] fix: URL with hash sign in after_verification_return_to stays
 encoded

---
 x/http_secure_redirect.go      | 2 +-
 x/http_secure_redirect_test.go | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/x/http_secure_redirect.go b/x/http_secure_redirect.go
index 8be06b07e53..b298b14e18c 100644
--- a/x/http_secure_redirect.go
+++ b/x/http_secure_redirect.go
@@ -87,7 +87,7 @@ func SecureRedirectTo(r *http.Request, defaultReturnTo *url.URL, opts ...SecureR
 
 	if len(source.Query().Get("return_to")) == 0 {
 		return o.defaultReturnTo, nil
-	} else if returnTo, err = url.ParseRequestURI(source.Query().Get("return_to")); err != nil {
+	} else if returnTo, err = url.Parse(source.Query().Get("return_to")); err != nil {
 		return nil, herodot.ErrInternalServerError.WithWrap(err).WithReasonf("Unable to parse the return_to query parameter as an URL: %s", err)
 	}
 
diff --git a/x/http_secure_redirect_test.go b/x/http_secure_redirect_test.go
index 234c5630ee8..8596951f28b 100644
--- a/x/http_secure_redirect_test.go
+++ b/x/http_secure_redirect_test.go
@@ -143,6 +143,14 @@ func TestSecureRedirectTo(t *testing.T) {
 		return res, string(body)
 	}
 
+	t.Run("case=return to a relative path with anchor works", func(t *testing.T) {
+		s := newServer(t, false, true, false, func(ts *httptest.Server) []x.SecureRedirectOption {
+			return []x.SecureRedirectOption{x.SecureRedirectAllowURLs([]url.URL{*urlx.ParseOrPanic("/foo")})}
+		})
+		_, body := makeRequest(t, s, "?return_to=/foo/kratos%23abcd")
+		assert.Equal(t, body, "/foo/kratos#abcd")
+	})
+
 	t.Run("case=return to default URL if nothing is allowed", func(t *testing.T) {
 		s := newServer(t, false, false, false, nil)
 		_, body := makeRequest(t, s, "?return_to=/foo")