wikijs-fork/server/controllers
Kyle Gehmlich 545ba4ec95
fix: remove duplicate query parameters on HTTPS redirect (#6460)
HTTPS redirection rebuilds the full URL using req.originalUrl, which
includes query parameters (see
https://expressjs.com/en/api.html#req.originalUrl). Prior to this patch,
appending the stringified query params to req.originalUrl resulted in
duplicate parameters, e.g.
wiki.js/callback?session=123&code=abc?session=123&code=abc
which caused errors when being redirected from an insecure (http://)
callback URL to a secure version when using OIDC (e.g. with keycloak).

This issue is probably rare, but in cases where HTTPS redirection is
enabled and a user tries to hit an insecure URL with query parameters,
it could cause problems.
2023-06-03 23:19:01 -04:00
..
auth.js fix: loginRedirect doesn't work for non local strategies (#3222) 2021-03-18 21:56:59 -04:00
common.js feat: include query parameters in locale redirect (#6132) 2023-02-16 19:04:19 -05:00
ssl.js fix: remove duplicate query parameters on HTTPS redirect (#6460) 2023-06-03 23:19:01 -04:00
upload.js fix: disallow # char in file uploads (#3770) 2021-05-20 15:16:26 -04:00