From ac4f2fccb07e5cf0f1fa3efaa77550f916f328d5 Mon Sep 17 00:00:00 2001 From: Evan Anderson <evan@stacklok.com> Date: Mon, 13 Jan 2025 08:15:53 -0800 Subject: [PATCH] Fix localhost detection for URL redirect protection (#5293) --- internal/controlplane/handlers_oauth.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/controlplane/handlers_oauth.go b/internal/controlplane/handlers_oauth.go index e0aab715ab..1e800beec6 100644 --- a/internal/controlplane/handlers_oauth.go +++ b/internal/controlplane/handlers_oauth.go @@ -195,7 +195,7 @@ func (s *Server) alllowedRedirectURL(redirectUrl *url.URL) bool { if redirectUrl == nil || redirectUrl.String() == "" { return true // Empty URL is allowed } - if redirectUrl.Host == "localhost" { + if redirectUrl.Hostname() == "localhost" { return true } hostUrl, err := redirectUrl.Parse("/")