Do not use postentially harmful error message in redirect

omniauth · Aug 18, 2022 · 74526f0 · 74526f0
1 parent fce9e23
commit 74526f0
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/lib/omniauth/failure_endpoint.rb b/lib/omniauth/failure_endpoint.rb
@@ -27,7 +27,7 @@ def raise_out!
 
     def redirect_to_failure
       message_key = env['omniauth.error.type']
-      new_path = "#{env['SCRIPT_NAME']}#{OmniAuth.config.path_prefix}/failure?message=#{message_key}#{origin_query_param}#{strategy_name_query_param}"
+      new_path = "#{env['SCRIPT_NAME']}#{OmniAuth.config.path_prefix}/failure?message=#{Rack::Utils.escape(message_key)}#{origin_query_param}#{strategy_name_query_param}"
       Rack::Response.new(['302 Moved'], 302, 'Location' => new_path).finish
     end
 

diff --git a/lib/omniauth/version.rb b/lib/omniauth/version.rb
@@ -1,3 +1,3 @@
 module OmniAuth
-  VERSION = '1.9.1'.freeze
+  VERSION = '1.9.2'.freeze
 end