Do not use postentially harmful error message in redirect

2022-08-18 19:40:30 -04:00 · 2022-08-18 19:40:30 -04:00 · 74526f0f12
parent fce9e23dd4
commit 74526f0f12
2 changed files with 2 additions and 2 deletions
--- a/lib/omniauth/failure_endpoint.rb
+++ b/lib/omniauth/failure_endpoint.rb
@ -27,7 +27,7 @@ module OmniAuth

    def redirect_to_failure
      message_key = env['omniauth.error.type']
-      new_path = "#{env['SCRIPT_NAME']}#{OmniAuth.config.path_prefix}/failure?message=#{message_key}#{origin_query_param}#{strategy_name_query_param}"
+      new_path = "#{env['SCRIPT_NAME']}#{OmniAuth.config.path_prefix}/failure?message=#{Rack::Utils.escape(message_key)}#{origin_query_param}#{strategy_name_query_param}"
      Rack::Response.new(['302 Moved'], 302, 'Location' => new_path).finish
    end

--- a/lib/omniauth/version.rb
+++ b/lib/omniauth/version.rb
@ -1,3 +1,3 @@
 module OmniAuth
-  VERSION = '1.9.1'.freeze
+  VERSION = '1.9.2'.freeze
 end