Mirrors/gitea
0
0
Fork 0
mirror of https://github.com/go-gitea/gitea.git synced 2026-05-20 09:23:57 +02:00
Code Issues Activity

Fix redirect

Browse Source
This commit is contained in:
Lunny Xiao 2026-02-17 12:26:26 -08:00
parent 318cb85037
commit cb9a3c8aed
No known key found for this signature in database
GPG Key ID: C3B7C91B632F738A
2 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/httplib/url.go
View File

@ -24,6 +24,10 @@ func urlIsRelative(s string, u *url.URL) bool {
if len(s) > 1 && (s[0] == '/' || s[0] == '\\') && (s[1] == '/' || s[1] == '\\') { if len(s) > 1 && (s[0] == '/' || s[0] == '\\') && (s[1] == '/' || s[1] == '\\') {
return false return false
} }
// Backslashes (including encoded) can be normalized by browsers into slashes and allow open redirects.
if strings.Contains(s, "\\") || strings.Contains(strings.ToLower(s), "%5c") {
return false
}
return u != nil && u.Scheme == "" && u.Host == "" return u != nil && u.Scheme == "" && u.Host == ""
} }

3
modules/httplib/url_test.go
View File

@ -32,6 +32,9 @@ func TestIsRelativeURL(t *testing.T) {
"\\\\", "\\\\",
"/\\", "/\\",
"\\/", "\\/",
"/a/../\\example.com",
"/%5cexample.com",
"/a/../%5cexample.com",
"mailto:a@b.com", "mailto:a@b.com",
"https://test.com", "https://test.com",
} }