Skip to content

Commit 01476ac

Browse files
pi0pi0
committedAug 30, 2022
fix(sendRedirect): always encode location uri
·
v1.15.1v0.7.17
1 parent 2fa27e6 commit 01476ac

File tree

1 file changed

+5
-4
lines changed

1 file changed

+5
-4
lines changed
 

‎src/utils/response.ts

+5-4
Original file line numberDiff line numberDiff line change
@@ -24,13 +24,14 @@ export function defaultContentType (event: CompatibilityEvent, type?: string) {
2424
}
2525

2626
export function sendRedirect (event: CompatibilityEvent, location: string, code = 302) {
27+
const encodedLoc = encodeURI(location)
2728
event.res.statusCode = code
28-
event.res.setHeader('Location', location)
29-
// minimal html document that redirects on client side
29+
event.res.setHeader('Location', encodedLoc)
30+
// Minimal html document that redirects on client side
3031
const html = `<!DOCTYPE html>
3132
<html>
32-
<head><meta http-equiv="refresh" content="0; url=${encodeURI(location)}"></head>
33-
<body>Redirecting to <a href=${JSON.stringify(location)}>${encodeURI(location)}</a></body>
33+
<head><meta http-equiv="refresh" content="0; url=${encodedLoc}"></head>
34+
<body>Redirecting to <a href=${JSON.stringify(encodedLoc)}>${encodedLoc}</a></body>
3435
</html>`
3536
return send(event, html, MIMES.html)
3637
}

5 commit comments

Comments
 (5)

MurmeltierS commented on Sep 1, 2022

@MurmeltierS
MurmeltierS
on Sep 1, 2022

This just destoryed our OAuth Flow. Why was this even introduced, I can't find a corresponding issue? This seems like a non-fix.

pi0 commented on Sep 1, 2022

@pi0
pi0
on Sep 1, 2022
MemberAuthor

@MurmeltierS It was from a security report not published yet. Sorry for the inconvenience. Can you please explain why this broke your flow with encoding? Would be happy to make a hotfix asap.

MurmeltierS commented on Sep 1, 2022

@MurmeltierS
MurmeltierS
on Sep 1, 2022

@MurmeltierS when using this to forward to an OAuth URL Query Parameters get double-URI-encoded. This will most definitely break things on the other end.

e.g.: https://foobar.myshopify.com/admin/oauth/authorize?client_id=6a63bcef27a43f48e07c239bc9741cd8&scope=write_products%252Cwrite_files&redirect_uri=https%253A%252F%252Fpictofit-shopify-app.vercel.app%252Fauth%252Fcallback-login&state=848902450404611&grant_options%255B%255D=per-user instead of the correct url https://foobar.myshopify.com/admin/oauth/authorize?client_id=6a63bcef27a43f48e07c239bc9741cd8&scope=write_products%2Cwrite_files&redirect_uri=https%3A%2F%2Fpictofit-shopify-app.vercel.app%2Fauth%2Fcallback-login&state=848902450404611&grant_options%5B%5D=per-user

pi0 commented on Sep 1, 2022

@pi0
pi0
on Sep 1, 2022
MemberAuthor

Fix on the way!

pi0 commented on Sep 1, 2022

@pi0
pi0
on Sep 1, 2022
MemberAuthor

Should be fixed in latest. Please try updating lockfile. (04b432c)

Please sign in to comment.