feature-sso #40

Merged

David merged 3 commits from feature-sso into main 2026-05-10 18:55:32 +02:00

Conversation 0 Commits 3 Files changed 1 +3 -1

David commented 2026-05-10 18:55:20 +02:00

Owner

Copy link

No description provided.

David added 2 commits 2026-05-10 18:55:20 +02:00

fix: reject protocol-relative return_to to close open-redirect ... f7c4dc0a4c

`s.starts_with('/')` alone accepts paths like `//evil.com/x`, which
browsers resolve as `https://evil.com/x`. Add `&& !s.starts_with("//")`
so callback only redirects to same-origin paths.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Merge remote-tracking branch 'origin/main' into feature-sso 92db3afcb6

David added 1 commit 2026-05-10 18:55:27 +02:00

Merge branch 'main' into feature-sso 8b2cb9f408

David merged commit e53a4d8050 into main 2026-05-10 18:55:32 +02:00

David deleted branch feature-sso 2026-05-10 18:55:32 +02:00

David referenced this pull request from a commit 2026-05-10 18:55:34 +02:00

Merge pull request 'feature-sso' (#40) from feature-sso into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

a8n-tools/rusty-links!40

No description provided.