Prevent redirect bypasses via backslash-encoded paths (#36660)

This change tightens relative URL validation to reject raw backslashes
and `%5c` (encoded backslash), since browsers and URL normalizers can
treat backslashes as path separators. That normalization can turn
seemingly relative paths into scheme-relative URLs, creating
open-redirect risk.

Visiting below URL to reproduce the problem.

http://localhost:3000/user/login?redirect_to=/a/../\example.com

http://localhost:3000/user/login?redirect_to=/a/../%5cexample.com

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
Lunny Xiao
2026-02-22 14:15:03 -08:00
committed by GitHub
parent 8f15f76dd6
commit 3db3c058b3
2 changed files with 15 additions and 1 deletions
+3
View File
@@ -23,6 +23,7 @@ func TestIsRelativeURL(t *testing.T) {
"foo",
"/",
"/foo?k=%20#abc",
"/foo?k=\\",
}
for _, s := range rel {
assert.True(t, IsRelativeURL(s), "rel = %q", s)
@@ -32,6 +33,8 @@ func TestIsRelativeURL(t *testing.T) {
"\\\\",
"/\\",
"\\/",
"/a/../\\b",
"/any\\thing",
"mailto:a@b.com",
"https://test.com",
}