mirror of
https://github.com/go-gitea/gitea.git
synced 2026-03-07 18:22:05 +01:00
2aee44cdd9
Backport #36660 by @lunny This change tightens relative URL validation to reject raw backslashes and `%5c` (encoded backslash), since browsers and URL normalizers can treat backslashes as path separators. That normalization can turn seemingly relative paths into scheme-relative URLs, creating open-redirect risk. Visiting below URL to reproduce the problem. http://localhost:3000/user/login?redirect_to=/a/../\example.com http://localhost:3000/user/login?redirect_to=/a/../%5cexample.com Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>