Commit f430169e authored by ale's avatar ale

Only check group membership if 'g' param is actually set

Classic mistake with strings.Split("").
parent 775db71e
Pipeline #600 passed with stages
in 1 minute and 5 seconds
......@@ -157,18 +157,20 @@ func (h *Server) handleHomepage(w http.ResponseWriter, req *http.Request, sessio
service := req.FormValue("s")
destination := req.FormValue("d")
nonce := req.FormValue("n")
var groups []string
reqGroups := strings.Split(req.FormValue("g"), ",")
if len(reqGroups) > 0 && session.UserInfo != nil {
groups = intersectGroups(reqGroups, session.UserInfo.Groups)
// We only make this check here as a convenience to
// the user (we may be able to show a nicer UI): the
// actual group ACL must be applied on the destination
// service, because the 'g' parameter is untrusted at
// this stage.
if len(groups) == 0 {
http.Error(w, "Unauthorized", http.StatusUnauthorized)
return
var groups, reqGroups []string
if gstr := req.FormValue("g"); gstr != "" {
reqGroups = strings.Split(gstr, ",")
if len(reqGroups) > 0 && session.UserInfo != nil {
groups = intersectGroups(reqGroups, session.UserInfo.Groups)
// We only make this check here as a convenience to
// the user (we may be able to show a nicer UI): the
// actual group ACL must be applied on the destination
// service, because the 'g' parameter is untrusted at
// this stage.
if len(groups) == 0 {
http.Error(w, "Unauthorized", http.StatusUnauthorized)
return
}
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment