mirror of
1
Fork 0
forgejo/modules/context
zeripath 0b1686b67a
Prevent redirect to Host (2) (#19175)
Unhelpfully Locations starting with `/\` will be converted by the
browser to `//` because ... well I do not fully understand. Certainly
the RFCs and MDN do not indicate that this would be expected. Providing
"compatibility" with the (mis)behaviour of a certain proprietary OS is
my suspicion. However, we clearly have to protect against this.

Therefore we should reject redirection locations that match the regular
expression: `^/[\\\\/]+`

Reference #9678

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-03-23 16:12:36 +00:00
..
access_log.go Pass down SignedUserName down to AccessLogger context (#16605) 2021-08-04 13:26:30 -04:00
api.go Update HTTP status codes to modern codes (#18063) 2022-03-23 12:54:07 +08:00
api_org.go Use a standalone struct name for Organization (#17632) 2021-11-19 19:41:40 +08:00
api_test.go format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
auth.go Renamed ctx.User to ctx.Doer. (#19161) 2022-03-22 15:03:22 +08:00
captcha.go format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
context.go Prevent redirect to Host (2) (#19175) 2022-03-23 16:12:36 +00:00
csrf.go format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
form.go Add config options to hide issue events (#17414) 2022-01-21 18:59:26 +01:00
org.go Renamed ctx.User to ctx.Doer. (#19161) 2022-03-22 15:03:22 +08:00
pagination.go Refactor admin user filter query parameters (#18965) 2022-03-02 16:30:14 +01:00
permission.go Renamed ctx.User to ctx.Doer. (#19161) 2022-03-22 15:03:22 +08:00
private.go format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
repo.go Redirect .wiki/* ui link to /wiki (#18831) 2022-03-23 13:29:18 +00:00
response.go format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
xsrf.go Move macaron to chi (#14293) 2021-01-26 16:36:53 +01:00
xsrf_test.go Move macaron to chi (#14293) 2021-01-26 16:36:53 +01:00