Mirrors/gitea
0
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-02-23 17:15:57 +01:00
Code Issues Activity

Prevent redirect bypasses via backslash-encoded paths (#36660)

Browse Source 
This change tightens relative URL validation to reject raw backslashes
and `%5c` (encoded backslash), since browsers and URL normalizers can
treat backslashes as path separators. That normalization can turn
seemingly relative paths into scheme-relative URLs, creating
open-redirect risk.

Visiting below URL to reproduce the problem.

http://localhost:3000/user/login?redirect_to=/a/../\example.com

http://localhost:3000/user/login?redirect_to=/a/../%5cexample.com

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
Lunny Xiao 2026-02-22 14:15:03 -08:00 committed by GitHub
parent 8f15f76dd6
commit 3db3c058b3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 15 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
modules/httplib/url.go
View File

@ -24,7 +24,18 @@ func urlIsRelative(s string, u *url.URL) bool {
if len(s) > 1 && (s[0] == '/' || s[0] == '\\') && (s[1] == '/' || s[1] == '\\') {
return false
}
return u != nil && u.Scheme == "" && u.Host == ""
if u == nil {
return false // invalid URL
}
if u.Scheme != "" || u.Host != "" {
return false // absolute URL with scheme or host
}
// Now, the URL is likely a relative URL
// HINT: GOLANG-HTTP-REDIRECT-BUG: Golang security vulnerability: "http.Redirect" calls "path.Clean" and changes the meaning of a path
// For example, `/a/../\b` will be changed to `/\b`, then it hits the first checked pattern and becomes an open redirect to "{current-scheme}://b"
// For a valid relative URL, its "path" shouldn't contain `\` because such char must be escaped.
// So if the "path" contains `\`, it is not a valid relative URL, then we can prevent open redirect.
return !strings.Contains(u.Path, "\\")
}
// IsRelativeURL detects if a URL is relative (no scheme or host)

3
modules/httplib/url_test.go
View File

@ -23,6 +23,7 @@ func TestIsRelativeURL(t *testing.T) {
"foo",
"/",
"/foo?k=%20#abc",
"/foo?k=\\",
}
for _, s := range rel {
assert.True(t, IsRelativeURL(s), "rel = %q", s)
@ -32,6 +33,8 @@ func TestIsRelativeURL(t *testing.T) {
"\\\\",
"/\\",
"\\/",
"/a/../\\b",
"/any\\thing",
"mailto:a@b.com",
"https://test.com",
}