gitea/modules/context
zeripath e3d8e92bdc
Prevent redirect to Host (2) (#19175) (#19186)
Backport #19175

Unhelpfully Locations starting with `/\` will be converted by the
browser to `//` because ... well I do not fully understand. Certainly
the RFCs and MDN do not indicate that this would be expected. Providing
"compatibility" with the (mis)behaviour of a certain proprietary OS is
my suspicion. However, we clearly have to protect against this.

Therefore we should reject redirection locations that match the regular
expression: `^/[\\\\/]+`

Reference #9678

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-03-23 20:01:23 +00:00
..
access_log.go
api.go Refactor auth package (#17962) 2022-01-02 21:12:35 +08:00
api_org.go Use a standalone struct name for Organization (#17632) 2021-11-19 19:41:40 +08:00
api_test.go
auth.go Refactor auth package (#17962) 2022-01-02 21:12:35 +08:00
captcha.go
context.go Prevent redirect to Host (2) (#19175) (#19186) 2022-03-23 20:01:23 +00:00
csrf.go
form.go
org.go Allow adminstrator teams members to see other teams (#18918) (#18919) 2022-02-26 22:45:34 +01:00
pagination.go Refactor admin user filter query parameters (#18965) (#18975) 2022-03-02 19:57:18 +01:00
permission.go
private.go
repo.go Redirect .wiki/* ui link to /wiki (#18831) (#19184) 2022-03-23 16:46:08 +00:00
response.go
xsrf.go
xsrf_test.go