From ac4f2fccb07e5cf0f1fa3efaa77550f916f328d5 Mon Sep 17 00:00:00 2001
From: Evan Anderson <evan@stacklok.com>
Date: Mon, 13 Jan 2025 08:15:53 -0800
Subject: [PATCH] Fix localhost detection for URL redirect protection (#5293)

---
 internal/controlplane/handlers_oauth.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/controlplane/handlers_oauth.go b/internal/controlplane/handlers_oauth.go
index e0aab715ab..1e800beec6 100644
--- a/internal/controlplane/handlers_oauth.go
+++ b/internal/controlplane/handlers_oauth.go
@@ -195,7 +195,7 @@ func (s *Server) alllowedRedirectURL(redirectUrl *url.URL) bool {
 	if redirectUrl == nil || redirectUrl.String() == "" {
 		return true // Empty URL is allowed
 	}
-	if redirectUrl.Host == "localhost" {
+	if redirectUrl.Hostname() == "localhost" {
 		return true
 	}
 	hostUrl, err := redirectUrl.Parse("/")