Use strict protocol check when redirect (#29642) (#29644)

Backport #29642 by wxiaoguang

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
Giteabot 2024-03-07 11:53:33 +08:00 committed by GitHub
parent b6a2b9594a
commit 0b5a4e7db4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 40 additions and 1 deletions

View File

@ -255,7 +255,7 @@ func (b *Base) Redirect(location string, status ...int) {
code = status[0]
}
if strings.Contains(location, "://") || strings.HasPrefix(location, "//") {
if strings.HasPrefix(location, "http://") || strings.HasPrefix(location, "https://") || strings.HasPrefix(location, "//") {
// Some browsers (Safari) have buggy behavior for Cookie + Cache + External Redirection, eg: /my-path => https://other/path
// 1. the first request to "/my-path" contains cookie
// 2. some time later, the request to "/my-path" doesn't contain cookie (caused by Prevent web tracking)

View File

@ -0,0 +1,39 @@
// Copyright 2024 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package context
import (
"net/http"
"net/http/httptest"
"testing"
"code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/setting"
"github.com/stretchr/testify/assert"
)
func TestRedirect(t *testing.T) {
req, _ := http.NewRequest("GET", "/", nil)
cases := []struct {
url string
keep bool
}{
{"http://test", false},
{"https://test", false},
{"//test", false},
{"/://test", true},
{"/test", true},
}
for _, c := range cases {
resp := httptest.NewRecorder()
b, cleanup := context.NewBaseContext(resp, req)
resp.Header().Add("Set-Cookie", (&http.Cookie{Name: setting.SessionConfig.CookieName, Value: "dummy"}).String())
b.Redirect(c.url)
cleanup()
has := resp.Header().Get("Set-Cookie") == "i_like_gitea=dummy"
assert.Equal(t, c.keep, has, "url = %q", c.url)
}
}