Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encode SSO redirect URL as it may contain multiple query parameters #911

Merged
merged 1 commit into from
Oct 28, 2022
Merged

Encode SSO redirect URL as it may contain multiple query parameters #911

merged 1 commit into from
Oct 28, 2022

Conversation

psrpinto
Copy link
Contributor

@psrpinto psrpinto commented Oct 27, 2022
edited
Loading

If the returnURL contains multiple query parameters (e.g. http://localhost:3000?foo=bar&bar=baz), the homeserver would fail to correctly parse the URL, and only the first query parameter would be kept.

This is not an issue with the homeserver since the URL cannot be parsed in an unambiguous way, as the resulting URL would be:

https://example.com/_matrix/client/r0/login/sso/redirect?redirectUrl=http://localhost:3000?foo=bar&bar=baz

It's not possible to know whether the bar parameter is part of the "parent" URL, or part of the redirectUrl parameter.

To fix this, we now encode the redirectUrl parameter, which results in:

https://example.com/_matrix/client/r0/login/sso/redirect?redirectUrl=http%3A%2F%2Flocalhost%3A3000%3Ffoo%3Dbar%26bar%3Dbaz

This URL is correctly parsed by synapse.

@psrpinto
Encode SSO redirect URL as it may contain multiple query parameters
ad02c16 
If the returnURL contains multiple query parameters (e.g. http://localhost:3000?foo=bar&bar=baz), the homeserver would fail to correctly parse the URL, and only the first query parameter would be kept.

This is not an issue with the homeserver since the URL cannot be parsed in an unambiguous way, as the resulting URL would be:

https://example.com/_matrix/client/r0/login/sso/redirect?redirectUrl=http://localhost:3000?foo=bar&bar=baz

It's not possible to know whether the bar parameter is part of the "parent" URL, or part of the redirectUrl parameter.

----

To fix this, we now encode the redirectUrl parameter, which results in:

https://example.com/_matrix/client/r0/login/sso/redirect?redirectUrl=http%3A%2F%2Flocalhost%3A3000%2Fparent.html%3Ffoo%3Dbar%26bar%3Dbaz

This URL is correctly parsed by synapse.
@psrpinto psrpinto mentioned this pull request Oct 27, 2022
Merged
bwindels
bwindels approved these changes Oct 28, 2022
View reviewed changes
Copy link
Contributor

@bwindels bwindels left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This indeed seems like an obvious omission, thanks!

@bwindels bwindels merged commit c199d45 into element-hq:master Oct 28, 2022
@psrpinto
Copy link
Contributor Author

Thanks for the quick review and merge!

@psrpinto psrpinto deleted the fix-sso-redirect-url branch October 28, 2022 13:21
psrpinto added a commit to Automattic/chatrix that referenced this pull request Dec 13, 2022
@psrpinto
Don't encode URL
edb9763 
Hydrogen already encodes it since element-hq/hydrogen-web#911
@psrpinto psrpinto mentioned this pull request Dec 13, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwindels bwindels bwindels approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@psrpinto @bwindels