Files
infinite-canvas/service
aeonframework 5ca5b72b01 fix(security): block open redirect in login redirect target
The login redirect accepted any value beginning with a single slash, so a
protocol-relative URL such as "//evil.com" (or a backslash variant) slipped
through and the browser resolved it to an external site. Both the Go OAuth
state decoder and the web login page used the same prefix-only check, so an
attacker could send a victim to /login?redirect=//evil.com — or supply it via
the Linux.do OAuth redirect param — and bounce them off-site after login.

Harden both layers: strip Tab/CR/LF (which browsers ignore inside URLs) and
reject protocol-relative and backslash-prefixed targets, allowing only genuine
same-site relative paths.

Detected by Aeon + semgrep (go.lang.security.injection.open-redirect).
Severity: medium
CWE-601 (URL Redirection to Untrusted Site)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-27 20:06:22 +00:00
..
2026-05-19 19:50:36 +08:00
2026-05-19 19:50:36 +08:00