Skip to content

Commit

Permalink
fix: remove duplicate query parameters on HTTPS redirect (#6460)
Browse files Browse the repository at this point in the history
HTTPS redirection rebuilds the full URL using req.originalUrl, which
includes query parameters (see
https://expressjs.com/en/api.html#req.originalUrl). Prior to this patch,
appending the stringified query params to req.originalUrl resulted in
duplicate parameters, e.g.
wiki.js/callback?session=123&code=abc?session=123&code=abc
which caused errors when being redirected from an insecure (http://)
callback URL to a secure version when using OIDC (e.g. with keycloak).

This issue is probably rare, but in cases where HTTPS redirection is
enabled and a user tries to hit an insecure URL with query parameters,
it could cause problems.
  • Loading branch information
kgehmlich authored Jun 4, 2023
1 parent 3bf1d9c commit 545ba4e
Showing 1 changed file with 1 addition and 2 deletions.
3 changes: 1 addition & 2 deletions server/controllers/ssl.js
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,7 @@ router.get('/.well-known/acme-challenge/:token', (req, res, next) => {
*/
router.all('/*', (req, res, next) => {
if (WIKI.config.server.sslRedir && !req.secure && WIKI.servers.servers.https) {
let query = (!_.isEmpty(req.query)) ? `?${qs.stringify(req.query)}` : ``
return res.redirect(`https://${req.hostname}${req.originalUrl}${query}`)
return res.redirect(`https://${req.hostname}${req.originalUrl}`)
} else {
next()
}
Expand Down

0 comments on commit 545ba4e

Please sign in to comment.