server/controllers · main · Jacklull / wiki-js

fix: remove duplicate query parameters on HTTPS redirect (#6460) · 545ba4ec

authored Jun 03, 2023

HTTPS redirection rebuilds the full URL using req.originalUrl, which
includes query parameters (see
https://expressjs.com/en/api.html#req.originalUrl). Prior to this patch,
appending the stringified query params to req.originalUrl resulted in
duplicate parameters, e.g.
wiki.js/callback?session=123&code=abc?session=123&code=abc
which caused errors when being redirected from an insecure (http://)
callback URL to a secure version when using OIDC (e.g. with keycloak).

This issue is probably rare, but in cases where HTTPS redirection is
enabled and a user tries to hit an insecure URL with query parameters,
it could cause problems.

545ba4ec

Name	Last commit	Last update
..
auth.js		Loading commit data...
common.js		Loading commit data...
ssl.js		Loading commit data...
upload.js		Loading commit data...