From 0198dd6e9378405c432810e190288d796da46e4d Mon Sep 17 00:00:00 2001
From: David Stark <david.stark@pusher.com>
Date: Sun, 26 Jan 2020 15:00:03 +0000
Subject: [PATCH 1/2] check for /\ redirects

---
 oauthproxy.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oauthproxy.go b/oauthproxy.go
index a0195ea063..37019b48c3 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -558,7 +558,7 @@ func validOptionalPort(port string) bool {
 // IsValidRedirect checks whether the redirect URL is whitelisted
 func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
 	switch {
-	case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"):
+	case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//") && !strings.HasPrefix(redirect, "/\\"):
 		return true
 	case strings.HasPrefix(redirect, "http://") || strings.HasPrefix(redirect, "https://"):
 		redirectURL, err := url.Parse(redirect)

From e21f09817e62a99f82b5e14236aa2aa29b14a515 Mon Sep 17 00:00:00 2001
From: David Stark <david.stark@pusher.com>
Date: Wed, 29 Jan 2020 12:36:11 +0000
Subject: [PATCH 2/2] note about open redirect vulneravility

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 767cde7b1f..7bdb02ef93 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,7 +17,7 @@
 - DigitalOcean provider support added
 
 ## Important Notes
-N/A
+- (Security) Fix for open redirect vulnerability..  a bad actor using `/\` in redirect URIs can redirect a session to another domain
 
 ## Breaking Changes