From cb9a3c8aed04c5fa0f63507aa56699b39eb45c48 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Tue, 17 Feb 2026 12:26:26 -0800 Subject: [PATCH 1/2] Fix redirect --- modules/httplib/url.go | 4 ++++ modules/httplib/url_test.go | 3 +++ 2 files changed, 7 insertions(+) diff --git a/modules/httplib/url.go b/modules/httplib/url.go index 2a1376b8d4..347cbf7b1e 100644 --- a/modules/httplib/url.go +++ b/modules/httplib/url.go @@ -24,6 +24,10 @@ func urlIsRelative(s string, u *url.URL) bool { if len(s) > 1 && (s[0] == '/' || s[0] == '\\') && (s[1] == '/' || s[1] == '\\') { return false } + // Backslashes (including encoded) can be normalized by browsers into slashes and allow open redirects. + if strings.Contains(s, "\\") || strings.Contains(strings.ToLower(s), "%5c") { + return false + } return u != nil && u.Scheme == "" && u.Host == "" } diff --git a/modules/httplib/url_test.go b/modules/httplib/url_test.go index 0ffb0cac05..ea4fe75257 100644 --- a/modules/httplib/url_test.go +++ b/modules/httplib/url_test.go @@ -32,6 +32,9 @@ func TestIsRelativeURL(t *testing.T) { "\\\\", "/\\", "\\/", + "/a/../\\example.com", + "/%5cexample.com", + "/a/../%5cexample.com", "mailto:a@b.com", "https://test.com", } From 2c742717c8616703a22041f6f9164ec10cadaad9 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Fri, 20 Feb 2026 12:30:49 -0800 Subject: [PATCH 2/2] Remove unnecessary test --- modules/httplib/url_test.go | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/httplib/url_test.go b/modules/httplib/url_test.go index ea4fe75257..4f537b6e2b 100644 --- a/modules/httplib/url_test.go +++ b/modules/httplib/url_test.go @@ -33,7 +33,6 @@ func TestIsRelativeURL(t *testing.T) { "/\\", "\\/", "/a/../\\example.com", - "/%5cexample.com", "/a/../%5cexample.com", "mailto:a@b.com", "https://test.com",