ekzyis
/
stacker.news
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix slash after stacker.news not required 

The slash should be required else we could still redirect to external sites.

For example, a site could just use "stacker.news" as a subdomain: https://stacker.news.mallory.com/
This commit is contained in:
ekzyis 2023-05-07 14:13:53 +02:00 committed by Keyan
parent decca40c94
commit a396933be2
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pages/login.js
View File

@ -6,7 +6,7 @@ import Login from '../components/login'
export async function getServerSideProps ({ req, res, query: { callbackUrl, error = null } }) {
const session = await getSession({ req })
const regex = /^https?:\/\/stacker.news\/?/
const regex = /^https?:\/\/stacker.news\//
const external = !regex.test(decodeURIComponent(callbackUrl))
if (external) {
// This is a hotfix for open redirects. See https://github.com/stackernews/stacker.news/issues/264

2
pages/signup.js
View File

@ -6,7 +6,7 @@ import Login from '../components/login'
export async function getServerSideProps ({ req, res, query: { callbackUrl, error = null } }) {
const session = await getSession({ req })
const regex = /^https?:\/\/stacker.news\/?/
const regex = /^https?:\/\/stacker.news\//
const external = !regex.test(decodeURIComponent(callbackUrl))
if (external) {
// This is a hotfix for open redirects. See https://github.com/stackernews/stacker.news/issues/264