From cb9a3c8aed04c5fa0f63507aa56699b39eb45c48 Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Tue, 17 Feb 2026 12:26:26 -0800
Subject: [PATCH] Fix redirect

---
 modules/httplib/url.go      | 4 ++++
 modules/httplib/url_test.go | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/modules/httplib/url.go b/modules/httplib/url.go
index 2a1376b8d4..347cbf7b1e 100644
--- a/modules/httplib/url.go
+++ b/modules/httplib/url.go
@@ -24,6 +24,10 @@ func urlIsRelative(s string, u *url.URL) bool {
 	if len(s) > 1 && (s[0] == '/' || s[0] == '\\') && (s[1] == '/' || s[1] == '\\') {
 		return false
 	}
+	// Backslashes (including encoded) can be normalized by browsers into slashes and allow open redirects.
+	if strings.Contains(s, "\\") || strings.Contains(strings.ToLower(s), "%5c") {
+		return false
+	}
 	return u != nil && u.Scheme == "" && u.Host == ""
 }
 
diff --git a/modules/httplib/url_test.go b/modules/httplib/url_test.go
index 0ffb0cac05..ea4fe75257 100644
--- a/modules/httplib/url_test.go
+++ b/modules/httplib/url_test.go
@@ -32,6 +32,9 @@ func TestIsRelativeURL(t *testing.T) {
 		"\\\\",
 		"/\\",
 		"\\/",
+		"/a/../\\example.com",
+		"/%5cexample.com",
+		"/a/../%5cexample.com",
 		"mailto:a@b.com",
 		"https://test.com",
 	}