Prevent redirect to Host (#9678) (#9679)

zeripath · techknowlogick · commit 3a00a690c945 · 2020-01-09T16:37:37.000-05:00
diff --git a/modules/context/context.go b/modules/context/context.go
@@ -1,4 +1,5 @@
 // Copyright 2014 The Gogs Authors. All rights reserved.
+// Copyright 2020 The Gitea Authors. All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 
@@ -122,7 +123,7 @@ func (ctx *Context) RedirectToFirst(location ...string) {
 		}
 
 		u, err := url.Parse(loc)
-		if err != nil || (u.Scheme != "" && !strings.HasPrefix(strings.ToLower(loc), strings.ToLower(setting.AppURL))) {
+		if err != nil || ((u.Scheme != "" || u.Host != "") && !strings.HasPrefix(strings.ToLower(loc), strings.ToLower(setting.AppURL))) {
 			continue
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`// Copyright 2014 The Gogs Authors. All rights reserved.`
	`2`	`+// Copyright 2020 The Gitea Authors. All rights reserved.`
`2`	`3`	`// Use of this source code is governed by a MIT-style`
`3`	`4`	`// license that can be found in the LICENSE file.`
`4`	`5`
`@@ -122,7 +123,7 @@ func (ctx *Context) RedirectToFirst(location ...string) {`
`122`	`123`	`}`
`123`	`124`
`124`	`125`	`u, err := url.Parse(loc)`
`125`		`- if err != nil \|\| (u.Scheme != "" && !strings.HasPrefix(strings.ToLower(loc), strings.ToLower(setting.AppURL))) {`
	`126`	`+ if err != nil \|\| ((u.Scheme != "" \|\| u.Host != "") && !strings.HasPrefix(strings.ToLower(loc), strings.ToLower(setting.AppURL))) {`
`126`	`127`	`continue`
`127`	`128`	`}`
`128`	`129`