The analysis of the security patch commit 76df99f3a3db234cf6b312be5e771485213d03c7 clearly indicates that the vulnerability was located in the checkLogin function within the internal/ui/login_check.go file. The vulnerability is an open redirect, caused by improper validation of the redirect_url parameter. The original code used url.Parse(...).IsAbs() to determine if a URL was local. However, this check failed to account for protocol-relative URLs (e.g., //attacker.com), which are not absolute but cause the browser to redirect to an external site. The patch rectifies this by introducing a new, more stringent validation function, urllib.IsRelativePath, and applying it within handler.checkLogin. Therefore, handler.checkLogin is the function that processes the malicious input and contains the vulnerable logic.
handler.checkLogininternal/ui/login_check.go
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| miniflux.app/v2 | go | <= 2.2.14 | 2.2.15 |