Only check group membership if 'g' param is actually set

Classic mistake with strings.Split("").

Only check group membership if 'g' param is actually set
f430169e · ale · 775db71e · f430169e
Commit f430169e authored 7 years ago by ale
--- a/server/http.go
+++ b/server/http.go
@@ -157,18 +157,20 @@ func (h *Server) handleHomepage(w http.ResponseWriter, req *http.Request, sessio
 	service := req.FormValue("s")
 	destination := req.FormValue("d")
 	nonce := req.FormValue("n")
-	var groups []string
-	reqGroups := strings.Split(req.FormValue("g"), ",")
-	if len(reqGroups) > 0 && session.UserInfo != nil {
-		groups = intersectGroups(reqGroups, session.UserInfo.Groups)
-		// We only make this check here as a convenience to
-		// the user (we may be able to show a nicer UI): the
-		// actual group ACL must be applied on the destination
-		// service, because the 'g' parameter is untrusted at
-		// this stage.
-		if len(groups) == 0 {
-			http.Error(w, "Unauthorized", http.StatusUnauthorized)
-			return
+	var groups, reqGroups []string
+	if gstr := req.FormValue("g"); gstr != "" {
+		reqGroups = strings.Split(gstr, ",")
+		if len(reqGroups) > 0 && session.UserInfo != nil {
+			groups = intersectGroups(reqGroups, session.UserInfo.Groups)
+			// We only make this check here as a convenience to
+			// the user (we may be able to show a nicer UI): the
+			// actual group ACL must be applied on the destination
+			// service, because the 'g' parameter is untrusted at
+			// this stage.
+			if len(groups) == 0 {
+				http.Error(w, "Unauthorized", http.StatusUnauthorized)
+				return
+			}
 		}
 	}