Dasko/GoNtech
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Bezbednost: ispravka otvorene redirekcije (open redirect)

Browse Source 
- podesavanja.go: _next parametar sada odbacuje putanje koje počinju sa "//"
  (npr. "//evil.com" prolazilo je staru proveru jer počinje sa "/")
- profil.go: Referer zaglavlje se parsira i koristi samo putanja (RequestURI),
  bez hosta — sprečava preusmeravanje na spoljne domene
This commit is contained in:
Dalibor Marković
2026-06-16 03:09:06 +02:00
parent d7c53429c7
commit f9af825a27
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/handler/profil.go
+5 -2
View File
@@ -5,6 +5,7 @@ import (
"io"
"log/slog"
"net/http"
"net/url"
"os"
"path/filepath"
"strings"
@@ -282,11 +283,13 @@ func (h *Handler) SacuvajLokalnuTemu(w http.ResponseWriter, r *http.Request) {
}
middleware.SetFlash(w, r, h.DB, "uspeh", "Tema je sačuvana.")
// vrati korisnika na stranicu odakle je došao (Referer), ili na profil kao fallback
// koristimo samo putanju iz Referer zaglavlja — nikad ceo URL jer može biti spoljni sajt
if ref := r.Referer(); ref != "" {
http.Redirect(w, r, ref, http.StatusSeeOther)
if u, err := url.Parse(ref); err == nil {
http.Redirect(w, r, u.RequestURI(), http.StatusSeeOther)
return
}
}
http.Redirect(w, r, "/admin/profil", http.StatusSeeOther)
}