Prevent redirect bypasses via backslash-encoded paths (#36660)
This change tightens relative URL validation to reject raw backslashes and `%5c` (encoded backslash), since browsers and URL normalizers can treat backslashes as path separators. That normalization can turn seemingly relative paths into scheme-relative URLs, creating open-redirect risk. Visiting below URL to reproduce the problem. http://localhost:3000/user/login?redirect_to=/a/../\example.com http://localhost:3000/user/login?redirect_to=/a/../%5cexample.com --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
@@ -23,6 +23,7 @@ func TestIsRelativeURL(t *testing.T) {
|
||||
"foo",
|
||||
"/",
|
||||
"/foo?k=%20#abc",
|
||||
"/foo?k=\\",
|
||||
}
|
||||
for _, s := range rel {
|
||||
assert.True(t, IsRelativeURL(s), "rel = %q", s)
|
||||
@@ -32,6 +33,8 @@ func TestIsRelativeURL(t *testing.T) {
|
||||
"\\\\",
|
||||
"/\\",
|
||||
"\\/",
|
||||
"/a/../\\b",
|
||||
"/any\\thing",
|
||||
"mailto:a@b.com",
|
||||
"https://test.com",
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user