Files · 545ba4ec9567ece941f89b710249f7535db2f1f1 · Jacklull / wiki-js

fix: remove duplicate query parameters on HTTPS redirect (#6460) · 545ba4ec

authored Jun 03, 2023

HTTPS redirection rebuilds the full URL using req.originalUrl, which
includes query parameters (see
https://expressjs.com/en/api.html#req.originalUrl). Prior to this patch,
appending the stringified query params to req.originalUrl resulted in
duplicate parameters, e.g.
wiki.js/callback?session=123&code=abc?session=123&code=abc
which caused errors when being redirected from an insecure (http://)
callback URL to a secure version when using OIDC (e.g. with keycloak).

This issue is probably rare, but in cases where HTTPS redirection is
enabled and a user tries to hit an insecure URL with query parameters,
it could cause problems.

545ba4ec

Name	Last commit	Last update
.devcontainer		Loading commit data...
.github		Loading commit data...
.vscode		Loading commit data...
client		Loading commit data...
dev		Loading commit data...
server		Loading commit data...
.babelrc		Loading commit data...
.editorconfig		Loading commit data...
.eslintignore		Loading commit data...
.eslintrc.yml		Loading commit data...
.gitattributes		Loading commit data...
.gitignore		Loading commit data...
.npmrc		Loading commit data...
.nvmrc		Loading commit data...
LICENSE		Loading commit data...
README.md		Loading commit data...
SECURITY.md		Loading commit data...
config.sample.yml		Loading commit data...
cypress.json		Loading commit data...
package.json		Loading commit data...
yarn.lock		Loading commit data...

README.md