search

stormpath / express-stormpath

Build simple, secure web applications with Stormpath and Express!
http://docs.stormpath.com/nodejs/express/
Apache License 2.0
325 stars 111 forks source link

Login form does not safe encode next query parameter #595

Open KamalAman opened 7 years ago

KamalAman commented 7 years ago

In the Login form when the user needs to be authenticated, the next query parameter does is not URI encoded with encodeURIComponent.

Example

request /resource?pretty&test=1 Authentication Failed redirect login?next=/resource?pretty&test=1

However the redirect should be redirect login?next=%2Fresource%3Fpretty%26test%3D1

Proposed change: Add encodeURIComponent when setting next, and decodeURIComponent when redirecting after successful login

  var nextUri = url.parse(req.query.next || '').path;
  var formActionUri = (config.web.login.uri + (nextUri ? ('?next=' + encodeURIComponent(nextUri)) : ''));

   if (req.user && config.web.login.enabled) {
      var nextUrl = decodeURIComponent(nextUri || config.web.login.nextUri);
      return res.redirect(302, nextUrl);
   }

Currently, the original query parameters after the first one does not get included when redirected

robertjd commented 7 years ago

Thanks @KamalAman ! We'll get this fixed.