github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 21:17:58 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(auth): prevent open redirect via callback_ui (#3844)

Browse Source 
Validate callback_ui and default invalid values to /.
Allow absolute callback_ui only when its origin is allowlisted via http.auth.openid.callbackAllowOrigins (and externalUrl).
Add/adjust unit + controller tests and update examples/docs for relative vs allowlisted absolute redirect

Signed-off-by: Andrei Aaron <andreifdaaron@gmail.com>
This commit is contained in:
Andrei Aaron
2026-03-08 08:13:16 +02:00
committed by GitHub
parent 6f67fcdf8f
commit 9425ca8b7d
10 changed files with 368 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/api/proxy.go
+2 -2
View File
@@ -123,9 +123,9 @@ func proxyHTTPRequest(ctx context.Context, req *http.Request,
// Get HTTP TLS config safely
httpTLSConfig := ctrlr.Config.CopyTLSConfig()
proxyQueryScheme := "http"
proxyQueryScheme := constants.SchemeHTTP
if httpTLSConfig != nil {
proxyQueryScheme = "https"
proxyQueryScheme = constants.SchemeHTTPS
}
cloneURL.Scheme = proxyQueryScheme