Skip to content

Commit

Permalink
fix: URL with hash sign in after_verification_return_to stays encoded (
Browse files Browse the repository at this point in the history
  • Loading branch information
martinboehm authored Jan 31, 2022
1 parent 4920c02 commit 735ecee
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 1 deletion.
2 changes: 1 addition & 1 deletion x/http_secure_redirect.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ func SecureRedirectTo(r *http.Request, defaultReturnTo *url.URL, opts ...SecureR

if len(source.Query().Get("return_to")) == 0 {
return o.defaultReturnTo, nil
} else if returnTo, err = url.ParseRequestURI(source.Query().Get("return_to")); err != nil {
} else if returnTo, err = url.Parse(source.Query().Get("return_to")); err != nil {
return nil, herodot.ErrInternalServerError.WithWrap(err).WithReasonf("Unable to parse the return_to query parameter as an URL: %s", err)
}

Expand Down
8 changes: 8 additions & 0 deletions x/http_secure_redirect_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,14 @@ func TestSecureRedirectTo(t *testing.T) {
return res, string(body)
}

t.Run("case=return to a relative path with anchor works", func(t *testing.T) {
s := newServer(t, false, true, false, func(ts *httptest.Server) []x.SecureRedirectOption {
return []x.SecureRedirectOption{x.SecureRedirectAllowURLs([]url.URL{*urlx.ParseOrPanic("/foo")})}
})
_, body := makeRequest(t, s, "?return_to=/foo/kratos%23abcd")
assert.Equal(t, body, "/foo/kratos#abcd")
})

t.Run("case=return to default URL if nothing is allowed", func(t *testing.T) {
s := newServer(t, false, false, false, nil)
_, body := makeRequest(t, s, "?return_to=/foo")
Expand Down

0 comments on commit 735ecee

Please sign in to comment.