From b9b970162fe29d1a87a7167a53f97b4d67349cf1 Mon Sep 17 00:00:00 2001
From: Roman Tkachenko <roman@gravitational.com>
Date: Tue, 3 Oct 2017 18:29:02 -0700
Subject: [PATCH 1/2] Safe redirect for oidc/saml

---
 lib/httplib/httplib.go | 10 ++++++++++
 lib/web/apiserver.go   |  2 +-
 lib/web/saml.go        |  2 +-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/httplib/httplib.go b/lib/httplib/httplib.go
index 9c96218c9085..338660b11d90 100644
--- a/lib/httplib/httplib.go
+++ b/lib/httplib/httplib.go
@@ -175,3 +175,13 @@ func RewritePaths(next http.Handler, rewrites ...RewritePair) http.Handler {
 		next.ServeHTTP(w, req)
 	})
 }
+
+// SafeRedirect performs a relative redirect to the URI part of the provided redirect URL
+func SafeRedirect(w http.ResponseWriter, r *http.Request, redirectURL string) error {
+	parsedURL, err := url.Parse(redirectURL)
+	if err != nil {
+		return trace.Wrap(err)
+	}
+	http.Redirect(w, r, parsedURL.RequestURI(), http.StatusFound)
+	return nil
+}
diff --git a/lib/web/apiserver.go b/lib/web/apiserver.go
index b8bd71185382..38855936b430 100644
--- a/lib/web/apiserver.go
+++ b/lib/web/apiserver.go
@@ -612,7 +612,7 @@ func (h *Handler) oidcCallback(w http.ResponseWriter, r *http.Request, p httprou
 		if err := SetSession(w, response.Username, response.Session.GetName()); err != nil {
 			return nil, trace.Wrap(err)
 		}
-		http.Redirect(w, r, response.Req.ClientRedirectURL, http.StatusFound)
+		httplib.SafeRedirect(w, r, response.Req.ClientRedirectURL)
 		return nil, nil
 	}
 	log.Infof("oidcCallback redirecting to console login")
diff --git a/lib/web/saml.go b/lib/web/saml.go
index c85f53f40fd5..82ec62936ac1 100644
--- a/lib/web/saml.go
+++ b/lib/web/saml.go
@@ -96,7 +96,7 @@ func (m *Handler) samlACS(w http.ResponseWriter, r *http.Request, p httprouter.P
 		if err := SetSession(w, response.Username, response.Session.GetName()); err != nil {
 			return nil, trace.Wrap(err)
 		}
-		http.Redirect(w, r, response.Req.ClientRedirectURL, http.StatusFound)
+		httplib.SafeRedirect(w, r, response.Req.ClientRedirectURL)
 		return nil, nil
 	}
 	l.Debugf("samlCallback redirecting to console login")

From a8cf2d3464866f73ab202e4d531cf1d050738331 Mon Sep 17 00:00:00 2001
From: Roman Tkachenko <roman@gravitational.com>
Date: Tue, 3 Oct 2017 18:35:05 -0700
Subject: [PATCH 2/2] Fix test

---
 lib/web/apiserver_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/web/apiserver_test.go b/lib/web/apiserver_test.go
index 74a702fe1251..777cc08dc8c4 100644
--- a/lib/web/apiserver_test.go
+++ b/lib/web/apiserver_test.go
@@ -525,7 +525,7 @@ func (s *WebSuite) TestSAMLSuccess(c *C) {
 	// we have got valid session
 	c.Assert(authRe.Headers().Get("Set-Cookie"), Not(Equals), "")
 	// we are being redirected to orignal URL
-	c.Assert(authRe.Headers().Get("Location"), Equals, "http://localhost/after")
+	c.Assert(authRe.Headers().Get("Location"), Equals, "/after")
 }
 
 type authPack struct {