fix(security): add missing return after redirect in resetPassword handler
http.Redirect only sets response headers; without return, handler execution continued with empty login/token strings, potentially causing unexpected LDAP queries and information leakage. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
10f41e4ef8
commit
a2f368eb02
1 changed files with 1 additions and 0 deletions
1
reset.go
1
reset.go
|
|
@ -9,6 +9,7 @@ import (
|
||||||
func resetPassword(w http.ResponseWriter, r *http.Request) {
|
func resetPassword(w http.ResponseWriter, r *http.Request) {
|
||||||
if len(r.URL.Query().Get("l")) == 0 || len(r.URL.Query().Get("t")) == 0 {
|
if len(r.URL.Query().Get("l")) == 0 || len(r.URL.Query().Get("t")) == 0 {
|
||||||
http.Redirect(w, r, "lost", http.StatusFound)
|
http.Redirect(w, r, "lost", http.StatusFound)
|
||||||
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
base := map[string]interface{}{
|
base := map[string]interface{}{
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue