Skip to content

v2.14.0
Compare
Choose a tag to compare
@mccutchen mccutchen released this 12 May 16:49
· 9 commits to main since this release
v2.14.0
874932b
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

What's Changed

  • chore(ci): tweak codecov configuration by @mccutchen in #168
  • add appProcotol to the k8s service for port name 'http' by @bcollard in #169
  • fix: mitigate allowed redirect domain bypass by @mccutchen in #174

🔐 Security fix 🔐

This release fixes a bug that allowed clients to bypass the -allowed-redirect-domains/ALLOWED_REDIRECT_DOMAINS configuration used by the /redirect-to endpoint by passing an absolute URL without a scheme (e.g. /redirect-to?url=//evil.com).

See #173 and #174 for details about the issue and the fix, and see the Production Considerations section of the README for more info on why that configuration is important.

New Contributors

Full Changelog: v2.13.4...v2.14.0

Contributors

mccutchen and bcollard
Assets 2
Loading