fix(web): make the try again button always go back to /

Signed-off-by: Xe Iaso <me@xeiaso.net>
2026-04-08 17:48:44 +00:00 · 2025-07-25 10:18:00 -04:00
6 changed files with 5 additions and 54 deletions
--- a/2
+++ b/2
@@ -1 +1 @@
-1.21.3
+1.21.2
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -13,24 +13,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 <!-- This changes the project to: -->

-## v1.21.3: Minfilia Warde - Echo 3
+## v1.21.2: Minfilia Warde - Echo 2

 ### Fixes

 #### Fixes a problem with nonstandard URLs and redirects

-Fixes [GHSA-jhjj-2g64-px7c](https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c).
-
 This could allow an attacker to craft an Anubis pass-challenge URL that forces a redirect to nonstandard URLs, such as the `javascript:` scheme which executes arbitrary JavaScript code in a browser context when the user clicks the "Try again" button.

 This has been fixed by disallowing any URLs without the scheme `http` or `https`.

 Additionally, the "Try again" button has been fixed to completely ignore the user-supplied redirect location. It now redirects to the home page (`/`).

-## v1.21.2: Minfilia Warde - Echo 2
-
-This contained an incomplete fix for [GHSA-jhjj-2g64-px7c](https://github.com/TecharoHQ/anubis/security/advisories/GHSA-jhjj-2g64-px7c). Do not use this version.
-
 ## v1.21.1: Minfilia Warde - Echo 1

 - Expired records are now properly removed from bbolt databases ([#848](https://github.com/TecharoHQ/anubis/pull/848)).
--- a/lib/anubis_test.go
+++ b/lib/anubis_test.go
@@ -926,42 +926,3 @@ func TestPassChallengeXSS(t *testing.T) {
 		}
 	})
 }
-
-func TestXForwardedForNoDoubleComma(t *testing.T) {
-	var h http.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("X-Forwarded-For", r.Header.Get("X-Forwarded-For"))
-		fmt.Fprintln(w, "OK")
-	})
-
-	h = internal.XForwardedForToXRealIP(h)
-	h = internal.XForwardedForUpdate(false, h)
-
-	pol := loadPolicies(t, "testdata/permissive.yaml", 4)
-
-	srv := spawnAnubis(t, Options{
-		Next:   h,
-		Policy: pol,
-	})
-	ts := httptest.NewServer(srv)
-	t.Cleanup(ts.Close)
-
-	req, err := http.NewRequest(http.MethodGet, ts.URL, nil)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	req.Header.Set("X-Real-Ip", "10.0.0.1")
-
-	resp, err := ts.Client().Do(req)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		t.Errorf("response status is wrong, wanted %d but got: %s", http.StatusOK, resp.Status)
-	}
-
-	if xff := resp.Header.Get("X-Forwarded-For"); strings.HasPrefix(xff, ",,") {
-		t.Errorf("X-Forwarded-For has two leading commas: %q", xff)
-	}
-}
--- a/lib/testdata/permissive.yaml
+++ b/lib/testdata/permissive.yaml
@@ -1,4 +0,0 @@
-bots:
-  - import: (data)/common/allow-private-addresses.yaml
-
-dnsbl: false
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "@techaro/anubis",
-  "version": "1.21.3",
+  "version": "1.21.2",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@techaro/anubis",
-      "version": "1.21.3",
+      "version": "1.21.2",
      "license": "ISC",
      "devDependencies": {
        "cssnano": "^7.1.0",
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@techaro/anubis",
-  "version": "1.21.3",
+  "version": "1.21.2",
  "description": "",
  "main": "index.js",
  "scripts": {
@@ -1 +1 @@
 .21.3
 .21.2