diff options
| author | Chris <ccbrown112@gmail.com> | 2018-02-02 07:29:11 -0600 |
|---|---|---|
| committer | Joram Wilander <jwawilander@gmail.com> | 2018-02-02 08:29:11 -0500 |
| commit | 2256e23c9ef7295b0001b1723be491254bfe73fe (patch) | |
| tree | 30d7742048383907f6837c7cf876a55af0805467 | |
| parent | 0cd2895456f953ef871e10421361578b6c8d4add (diff) | |
| download | chat-2256e23c9ef7295b0001b1723be491254bfe73fe.tar.gz chat-2256e23c9ef7295b0001b1723be491254bfe73fe.tar.bz2 chat-2256e23c9ef7295b0001b1723be491254bfe73fe.zip | |
ABC-153: don't use http redirects with 4xx/5xx status codes (#8178)
* don't use http redirects with 4xx/5xx status codes
* minor html syntax fix
| -rw-r--r-- | app/oauth.go | 2 | ||||
| -rw-r--r-- | utils/api.go | 23 |
2 files changed, 15 insertions, 10 deletions
diff --git a/app/oauth.go b/app/oauth.go index 3202ac5ed..1cce5a3a0 100644 --- a/app/oauth.go +++ b/app/oauth.go @@ -564,7 +564,7 @@ func generateOAuthStateTokenExtra(email, action, cookie string) string { func (a *App) GetAuthorizationCode(w http.ResponseWriter, r *http.Request, service string, props map[string]string, loginHint string) (string, *model.AppError) { sso := a.Config().GetSSOService(service) - if sso != nil && !sso.Enable { + if sso == nil || !sso.Enable { return "", model.NewAppError("GetAuthorizationCode", "api.user.get_authorization_code.unsupported.app_error", nil, "service="+service, http.StatusNotImplemented) } diff --git a/utils/api.go b/utils/api.go index 48382d1fe..005c3284b 100644 --- a/utils/api.go +++ b/utils/api.go @@ -4,6 +4,8 @@ package utils import ( + "fmt" + "html/template" "net/http" "net/url" "strings" @@ -31,18 +33,21 @@ func OriginChecker(allowedOrigins string) func(*http.Request) bool { } func RenderWebError(err *model.AppError, w http.ResponseWriter, r *http.Request) { - message := err.Message - details := err.DetailedError - status := http.StatusTemporaryRedirect if err.StatusCode != http.StatusInternalServerError { status = err.StatusCode } - http.Redirect( - w, - r, - "/error?message="+url.QueryEscape(message)+ - "&details="+url.QueryEscape(details), - status) + destination := strings.TrimRight(GetSiteURL(), "/") + "/error?message=" + url.QueryEscape(err.Message) + if status >= 300 && status < 400 { + http.Redirect(w, r, destination, status) + return + } + + w.WriteHeader(status) + fmt.Fprintln(w, `<!DOCTYPE html><html><head></head>`) + fmt.Fprintln(w, `<body onload="window.location = '`+template.HTMLEscapeString(template.JSEscapeString(destination))+`'">`) + fmt.Fprintln(w, `<noscript><meta http-equiv="refresh" content="0; url=`+template.HTMLEscapeString(destination)+`"></noscript>`) + fmt.Fprintln(w, `<a href="`+template.HTMLEscapeString(destination)+`" style="color: #c0c0c0;">...</a>`) + fmt.Fprintln(w, `</body></html>`) } |