github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 12:58:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(auth): prevent open redirect via callback_ui (#3844)

Browse Source 
Validate callback_ui and default invalid values to /.
Allow absolute callback_ui only when its origin is allowlisted via http.auth.openid.callbackAllowOrigins (and externalUrl).
Add/adjust unit + controller tests and update examples/docs for relative vs allowlisted absolute redirect

Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com>
This commit is contained in:
Andrei Aaron
2026-03-08 08:13:16 +02:00
committed by GitHub
parent 6f67fcdf8f
commit 9425ca8b7d
10 changed files with 368 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
examples/config-openid.json
+1
View File
@@ -16,6 +16,7 @@
"sessionKeysFile": "examples/sessionKeys.json",
"apikey": true,
"openid": {
"callbackAllowOrigins": ["http://127.0.0.1:3000"],
"providers": {
"github": {
"credentialsFile": "examples/config-openid-github-credentials.json",