From b7d6e7a6bf7d682ae149a92c75c02226d51fc010 Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Sun, 14 Feb 2021 11:38:20 +0000 Subject: [PATCH] Ensure redirect URI always has a scheme --- CHANGELOG.md | 1 + oauthproxy.go | 6 ++++++ pkg/validation/options.go | 8 +++++--- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8515e5d2c0..4abe5e82de 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ ## Changes since v7.0.1 +- [#1045](https://github.com/oauth2-proxy/oauth2-proxy/pull/1045) Ensure redirect URI always has a scheme (@JoelSpeed) - [#914](https://github.com/oauth2-proxy/oauth2-proxy/pull/914) Extract email from id_token for azure provider when oidc is configured - [#1047](https://github.com/oauth2-proxy/oauth2-proxy/pull/1047) Refactor HTTP Server and add ServerGroup to handle graceful shutdown of multiple servers (@JoelSpeed) - [#1070](https://github.com/oauth2-proxy/oauth2-proxy/pull/1070) Refactor logging middleware to middleware package (@NickMeves) diff --git a/oauthproxy.go b/oauthproxy.go index 0a9669f3f1..f1bd9a6216 100755 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -35,6 +35,7 @@ import ( ) const ( + schemeHTTP = "http" schemeHTTPS = "https" applicationJSON = "application/json" ) @@ -971,6 +972,11 @@ func (p *OAuthProxy) getOAuthRedirectURI(req *http.Request) string { rd.Host = requestutil.GetRequestHost(req) rd.Scheme = requestutil.GetRequestProto(req) + // If there's no scheme in the request, we should still include one + if rd.Scheme == "" { + rd.Scheme = schemeHTTP + } + // If CookieSecure is true, return `https` no matter what // Not all reverse proxies set X-Forwarded-Proto if p.CookieSecure { diff --git a/pkg/validation/options.go b/pkg/validation/options.go index 35c3ae1a80..220438edfa 100644 --- a/pkg/validation/options.go +++ b/pkg/validation/options.go @@ -30,6 +30,8 @@ func Validate(o *options.Options) error { msgs = append(msgs, validateRedisSessionStore(o)...) msgs = append(msgs, prefixValues("injectRequestHeaders: ", validateHeaders(o.InjectRequestHeaders)...)...) msgs = append(msgs, prefixValues("injectResponseHeaders: ", validateHeaders(o.InjectResponseHeaders)...)...) + msgs = parseSignatureKey(o, msgs) + msgs = configureLogger(o.Logging, msgs) if o.SSLInsecureSkipVerify { // InsecureSkipVerify is a configurable option we allow @@ -175,6 +177,9 @@ func Validate(o *options.Options) error { var redirectURL *url.URL redirectURL, msgs = parseURL(o.RawRedirectURL, "redirect", msgs) o.SetRedirectURL(redirectURL) + if o.RawRedirectURL == "" && !o.Cookie.Secure && !o.ReverseProxy { + logger.Print("WARNING: no explicit redirect URL: redirects will default to insecure HTTP") + } msgs = append(msgs, validateUpstreams(o.UpstreamServers)...) msgs = parseProviderInfo(o, msgs) @@ -191,9 +196,6 @@ func Validate(o *options.Options) error { } } - msgs = parseSignatureKey(o, msgs) - msgs = configureLogger(o.Logging, msgs) - if o.ReverseProxy { parser, err := ip.GetRealClientIPParser(o.RealClientIPHeader) if err != nil {