Skip to content

Commit

Permalink
chore: don't return allowed return URLs (#4044)
Browse files Browse the repository at this point in the history
  • Loading branch information
jonas-jonas authored Aug 26, 2024
1 parent 45bbec4 commit 54cb464
Showing 1 changed file with 2 additions and 6 deletions.
8 changes: 2 additions & 6 deletions x/http_secure_redirect.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,6 @@ import (
"github.com/ory/x/stringsx"
"github.com/ory/x/urlx"

"github.com/samber/lo"

"github.com/ory/kratos/driver/config"
)

Expand Down Expand Up @@ -145,10 +143,8 @@ func SecureRedirectTo(r *http.Request, defaultReturnTo *url.URL, opts ...SecureR

return nil, errors.WithStack(herodot.ErrBadRequest.
WithID(text.ErrIDRedirectURLNotAllowed).
WithReasonf("Requested return_to URL %q is not allowed.", returnTo).
WithDebugf("Allowed domains are: %v", strings.Join(lo.Map(o.allowlist, func(u url.URL, _ int) string {
return u.String()
}), ", ")))
WithReasonf("Requested return_to URL %q is not allowed.", returnTo),
)
}

func SecureContentNegotiationRedirection(
Expand Down

0 comments on commit 54cb464

Please sign in to comment.