Merge 2c742717c8616703a22041f6f9164ec10cadaad9 into bbea5e6c2d75a4a710d7838b7bec7e851e046d3c

2026-02-22 04:35:44 +01:00 · 2026-02-20 20:31:05 +00:00 · 2026-02-20 20:31:05 +00:00 · 5f4c92cd42
commit 5f4c92cd42
parent bbea5e6c2d 2c742717c8
2 changed files with 6 additions and 0 deletions
--- a/modules/httplib/url.go
+++ b/modules/httplib/url.go
@ -24,6 +24,10 @@ func urlIsRelative(s string, u *url.URL) bool {
 	if len(s) > 1 && (s[0] == '/' || s[0] == '\\') && (s[1] == '/' || s[1] == '\\') {
 		return false
 	}
+	// Backslashes (including encoded) can be normalized by browsers into slashes and allow open redirects.
+	if strings.Contains(s, "\\") || strings.Contains(strings.ToLower(s), "%5c") {
+		return false
+	}
 	return u != nil && u.Scheme == "" && u.Host == ""
 }

--- a/modules/httplib/url_test.go
+++ b/modules/httplib/url_test.go
@ -32,6 +32,8 @@ func TestIsRelativeURL(t *testing.T) {
 		"\\\\",
 		"/\\",
 		"\\/",
+		"/a/../\\example.com",
+		"/a/../%5cexample.com",
 		"mailto:a@b.com",
 		"https://test.com",
 	}