Prevent redirect to Host (2)

Unhelpfully Locations starting with `/\` will be converted by the browser to `//` because ... well I do not fully understand. Certainly the RFCs and MDN do not indicate that this would be expected. Providing "compatibility" with the (mis)behaviour of a certain proprietary OS is my suspicion. However, we clearly have to protect against this. Therefore we should reject redirection locations that match the regular expression: `^/[\\\\/]+` Reference #9678 Signed-off-by: Andrew Thornton <art27@cantab.net>
go-gitea · Mar 22, 2022 · 8e97a93 · 8e97a93
1 parent 7a550b3
commit 8e97a93
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/modules/context/context.go b/modules/context/context.go
@@ -17,6 +17,7 @@ import (
 	"net/http"
 	"net/url"
 	"path"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -174,13 +175,19 @@ func (ctx *Context) HasValue(name string) bool {
 	return ok
 }
 
+var precedingSlashesRE = regexp.MustCompile(`^/[\\/]+`)
+
 // RedirectToFirst redirects to first not empty URL
 func (ctx *Context) RedirectToFirst(location ...string) {
 	for _, loc := range location {
 		if len(loc) == 0 {
 			continue
 		}
 
+		if precedingSlashesRE.MatchString(loc) {
+			continue
+		}
+
 		u, err := url.Parse(loc)
 		if err != nil || ((u.Scheme != "" || u.Host != "") && !strings.HasPrefix(strings.ToLower(loc), strings.ToLower(setting.AppURL))) {
 			continue