Skip to content

Commit

Permalink
Merge pull request oauth2-proxy#368 from pusher/advisory-notes
Browse files Browse the repository at this point in the history 
Open redirect (security vulnerability) notes
  • Loading branch information
David Stark authored Jan 29, 2020
2 parents a316f8a + 3b0e8c3 commit c49d362
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 1 deletion.
2 changes: 1 addition & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
- DigitalOcean provider support added

## Important Notes
- (Security) Fix for open redirect vulnerability.. a bad actor using `/\` in redirect URIs can redirect a session to another domain
- (Security) Fix for [open redirect vulnerability](https://github.com/pusher/oauth2_proxy/security/advisories/GHSA-qqxw-m5fj-f7gv).. a bad actor using `/\` in redirect URIs can redirect a session to another domain

## Breaking Changes

Expand Down
5 changes: 5 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,11 @@ oauth2_proxy-4.0.0.linux-amd64: OK
3. [Configure OAuth2 Proxy using config file, command line options, or environment variables](https://pusher.github.io/oauth2_proxy/configuration)
4. [Configure SSL or Deploy behind a SSL endpoint](https://pusher.github.io/oauth2_proxy/tls-configuration) (example provided for Nginx)


## Security

If you are running a version older than v5.0.0 we **strongly recommend you please update** to a current version. RE: [open redirect vulnverability](https://github.com/pusher/oauth2_proxy/security/advisories/GHSA-qqxw-m5fj-f7gv)

## Docs

Read the docs on our [Docs site](https://pusher.github.io/oauth2_proxy).
Expand Down

0 comments on commit c49d362

Please sign in to comment.