[arvados] updated: 2.5.0-308-g2bc1519df
git repository hosting
git at public.arvados.org
Tue Mar 28 21:06:59 UTC 2023
Summary of changes:
lib/controller/localdb/login.go | 5 +++++
1 file changed, 5 insertions(+)
via 2bc1519df3f1995c852cf9bfba6e85ebd0f33c84 (commit)
from bdde690c4479ae294707a65f4f4d259427611d70 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 2bc1519df3f1995c852cf9bfba6e85ebd0f33c84
Author: Tom Clegg <tom at curii.com>
Date: Tue Mar 28 17:05:26 2023 -0400
20264: Reject redirect target with userinfo.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>
diff --git a/lib/controller/localdb/login.go b/lib/controller/localdb/login.go
index 18537b202..f9b968a70 100644
--- a/lib/controller/localdb/login.go
+++ b/lib/controller/localdb/login.go
@@ -164,6 +164,8 @@ func (conn *Conn) CreateAPIClientAuthorization(ctx context.Context, rootToken st
return
}
+var errUserinfoInRedirectTarget = errors.New("redirect target rejected because it contains userinfo")
+
func validateLoginRedirectTarget(cluster *arvados.Cluster, returnTo string) error {
u, err := url.Parse(returnTo)
if err != nil {
@@ -173,6 +175,9 @@ func validateLoginRedirectTarget(cluster *arvados.Cluster, returnTo string) erro
if err != nil {
return err
}
+ if u.User != nil {
+ return errUserinfoInRedirectTarget
+ }
target := origin(*u)
for trusted := range cluster.Login.TrustedClients {
trustedOrigin := origin(url.URL(trusted))
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list