ekzyis/stacker.news
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix slash after stacker.news not required

Browse Source 
The slash should be required else we could still redirect to external sites.

For example, a site could just use "stacker.news" as a subdomain: https://stacker.news.mallory.com/
This commit is contained in:
ekzyis 2023-05-07 14:13:53 +02:00 committed by Keyan
parent decca40c94
commit a396933be2
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pages/login.js
View File

@ -6,7 +6,7 @@ import Login from '../components/login'
export async function getServerSideProps ({ req, res, query: { callbackUrl, error = null } }) {
const session = await getSession({ req })
const regex = /^https?:\/\/stacker.news\/?/
const regex = /^https?:\/\/stacker.news\//
const external = !regex.test(decodeURIComponent(callbackUrl))
if (external) {
// This is a hotfix for open redirects. See https://github.com/stackernews/stacker.news/issues/264

2
pages/signup.js
View File

@ -6,7 +6,7 @@ import Login from '../components/login'
export async function getServerSideProps ({ req, res, query: { callbackUrl, error = null } }) {
const session = await getSession({ req })
const regex = /^https?:\/\/stacker.news\/?/
const regex = /^https?:\/\/stacker.news\//
const external = !regex.test(decodeURIComponent(callbackUrl))
if (external) {
// This is a hotfix for open redirects. See https://github.com/stackernews/stacker.news/issues/264