mirror of
1
Fork 0
forgejo/modules
zeripath 0b1686b67a
Prevent redirect to Host (2) (#19175)
Unhelpfully Locations starting with `/\` will be converted by the
browser to `//` because ... well I do not fully understand. Certainly
the RFCs and MDN do not indicate that this would be expected. Providing
"compatibility" with the (mis)behaviour of a certain proprietary OS is
my suspicion. However, we clearly have to protect against this.

Therefore we should reject redirection locations that match the regular
expression: `^/[\\\\/]+`

Reference #9678

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-03-23 16:12:36 +00:00
..
activitypub format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
analyze Use git attributes to determine generated and vendored status for language stats and diffs (#16773) 2021-09-09 21:13:36 +01:00
appstate format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
auth RSS/Atom support for Repos (#19055) 2022-03-13 17:40:47 +01:00
avatar format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
base format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
cache format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
charset Don't treat BOM escape sequence as hidden character. (#18909) 2022-02-26 16:48:23 +00:00
context Prevent redirect to Host (2) (#19175) 2022-03-23 16:12:36 +00:00
convert API: Return primary language and repository language stats API URL (#18396) 2022-01-25 08:33:40 +02:00
csv format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
doctor Use `ctx` instead of `db.DefaultContext` in some packages(routers/services/modules) (#19163) 2022-03-22 16:22:54 +01:00
emoji format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
eventsource Simplify parameter types (#18006) 2021-12-20 04:41:31 +00:00
generate Use base32 for 2FA scratch token (#18384) 2022-01-26 12:10:10 +08:00
git Make migrations SKIP_TLS_VERIFY apply to git too (#19132) 2022-03-19 14:16:38 +00:00
gitgraph Change git.cmd to RunWithContext (#18693) 2022-02-11 13:47:22 +01:00
graceful Immediately Hammer if second kill is sent (#18823) 2022-02-19 16:36:25 +00:00
hcaptcha hCaptcha Support (#12594) 2020-10-02 23:37:53 -04:00
highlight format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
hostmatcher remove not needed (#19128) 2022-03-18 20:17:57 +01:00
httpcache format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
httplib refactor httplib (#18338) 2022-01-19 19:31:39 -05:00
indexer Prevent Stats Indexer reporting error if repo dir missing (#18870) 2022-02-24 23:22:09 -05:00
json Make gitea, gitea-vet future-proof (#18361) 2022-01-22 21:59:34 +00:00
lfs Update HTTP status codes to modern codes (#18063) 2022-03-23 12:54:07 +08:00
log migrations: add test for importing pull requests in gitea uploader (#18752) 2022-02-25 17:20:50 +08:00
markup nit fix (#19116) 2022-03-17 20:04:36 +02:00
metrics format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
migration Store the foreign ID of issues during migration (#18446) 2022-03-17 18:08:35 +01:00
nosql [API] Allow removing issues (#18879) 2022-03-01 01:20:15 +01:00
notification [API] Allow removing issues (#18879) 2022-03-01 01:20:15 +01:00
options format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
password Fixed assert statements. (#16089) 2021-06-07 07:27:09 +02:00
pprof refactor: move from io/ioutil to io and os package (#17109) 2021-09-22 13:38:34 +08:00
private Update HTTP status codes to modern codes (#18063) 2022-03-23 12:54:07 +08:00
process format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
proxy Return nil proxy function if proxy not enabled (#16742) 2021-08-19 16:41:20 -04:00
public Fix mime-type detection for HTTP server (#18370) 2022-01-23 20:19:49 +08:00
queue Add number in queue status to monitor page (#18712) 2022-02-12 13:31:26 +08:00
recaptcha refactor: move from io/ioutil to io and os package (#17109) 2021-09-22 13:38:34 +08:00
references format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
repository Use `ctx` instead of `db.DefaultContext` in some packages(routers/services/modules) (#19163) 2022-03-22 16:22:54 +01:00
secret Use `CryptoRandomBytes` instead of `CryptoRandomString` (#18439) 2022-02-04 18:03:15 +01:00
session format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
setting Ensure that setting.LocalURL always has a trailing slash (#19171) 2022-03-22 16:59:57 +00:00
ssh Update golang.org/x/crypto (#19097) 2022-03-16 02:59:53 +01:00
storage Clean paths when looking in Storage (#19124) 2022-03-22 17:02:26 -04:00
structs Add config option to disable "Update branch by rebase" (#18745) 2022-03-04 03:30:49 -05:00
svg refactor: move from io/ioutil to io and os package (#17109) 2021-09-22 13:38:34 +08:00
sync Fix missing unlock in uniquequeue (#9790) 2020-01-15 23:58:33 +02:00
templates Prevent start panic due to missing DotEscape function 2022-03-23 16:08:27 +00:00
test Use `ctx` instead of `db.DefaultContext` in some packages(routers/services/modules) (#19163) 2022-03-22 16:22:54 +01:00
timeutil format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
translation Refactor i18n, use Locale to provide i18n/translation related functions (#18648) 2022-02-08 11:02:30 +08:00
typesniffer format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
updatechecker format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
upload Simplify parameter types (#18006) 2021-12-20 04:41:31 +00:00
uri Prevent NPE if gitea uploader fails to open url (#18080) 2021-12-23 16:27:33 +00:00
user Add gitea-vet (#10948) 2020-04-05 07:20:50 +01:00
util Cleanup protected branches when deleting users & teams (#19158) 2022-03-22 09:09:45 +08:00
validation format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
web Update HTTP status codes to modern codes (#18063) 2022-03-23 12:54:07 +08:00