]> source.dussan.org Git - gitea.git/commit
projects / gitea.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 6fc73a8) | patch
Prevent redirect to Host (2) (#19175) (#19186)
authorzeripath <art27@cantab.net>
Wed, 23 Mar 2022 20:01:23 +0000 (20:01 +0000)
committerGitHub <noreply@github.com>
Wed, 23 Mar 2022 20:01:23 +0000 (20:01 +0000)
commite3d8e92bdc67562783de9a76b5b7842b68daeb48
tree95c0e944fc54b448f02b0b02ce9c5c861b262c2dtree | snapshot
parent6fc73a84332643ffbd431f6e7fcb16942c505c04commit | diff
Prevent redirect to Host (2) (#19175) (#19186)

Backport #19175

Unhelpfully Locations starting with `/\` will be converted by the
browser to `//` because ... well I do not fully understand. Certainly
the RFCs and MDN do not indicate that this would be expected. Providing
"compatibility" with the (mis)behaviour of a certain proprietary OS is
my suspicion. However, we clearly have to protect against this.

Therefore we should reject redirection locations that match the regular
expression: `^/[\\\\/]+`

Reference #9678

Signed-off-by: Andrew Thornton <art27@cantab.net>
modules/context/context.go diff | blob | history
Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD: https://github.com/go-gitea/gitea