Skip to content

When redirecting, clean the path #5669

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 9, 2019
Merged

When redirecting, clean the path #5669

merged 2 commits into from
Jan 9, 2019

Conversation

zeripath
Copy link
Contributor

@zeripath zeripath commented Jan 8, 2019

Out of the box it is possible to get gitea to redirect to other servers:

$ curl -i --path-as-is http://localhost:3000//www.google.com/..
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: //www.google.com/../
Date: Tue, 08 Jan 2019 21:53:05 GMT
Content-Length: 43

<a href="//www.google.com/../">Found</a>.

This PR cleans the path, prior to sending a http.Redirect.

Fix #5627

With thanks from @0x5c

Signed-off-by: Andrew Thornton [email protected]

@techknowlogick techknowlogick added this to the 1.8.0 milestone Jan 8, 2019
@codecov-io
Copy link

codecov-io commented Jan 8, 2019
edited
Loading

Codecov Report

Merging #5669 into master will not change coverage.
The diff coverage is 0%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #5669   +/-   ##
=======================================
  Coverage   37.77%   37.77%           
=======================================
  Files         323      323           
  Lines       47595    47595           
=======================================
  Hits        17977    17977           
  Misses      27029    27029           
  Partials     2589     2589
Impacted Files Coverage Δ
modules/public/public.go 74.41% <0%> (ø) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0b84b5e...38d0693. Read the comment docs.

@bkcsoft bkcsoft added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jan 8, 2019
@bkcsoft bkcsoft added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jan 9, 2019
@bkcsoft bkcsoft added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jan 9, 2019
@techknowlogick techknowlogick merged commit dd13327 into go-gitea:master Jan 9, 2019
@techknowlogick
Copy link
Member

@zeripath please backport

@zeripath zeripath deleted the issue-5627-url-redirect-security-issue branch January 9, 2019 20:15
zeripath added a commit to zeripath/gitea that referenced this pull request Jan 9, 2019
@zeripath
When redirecting clean the path to avoid redirecting to //www.othersi…
f83bc1d 
…te.com (go-gitea#5669)

Fix go-gitea#5627

Signed-off-by: Andrew Thornton <[email protected]>
@techknowlogick techknowlogick added the backport/done All backports for this PR have been created label Jan 9, 2019
techknowlogick pushed a commit that referenced this pull request Jan 9, 2019
@zeripath @techknowlogick
When redirecting clean the path to avoid redirecting to //www.othersi…
551dc58 
…te.com (#5669) (#5679)

Fix #5627

Signed-off-by: Andrew Thornton <[email protected]>
@lunny
Copy link
Member

lunny commented Jan 10, 2019

This should be also back port to release/v1.6

zeripath added a commit to zeripath/gitea that referenced this pull request Jan 11, 2019
@zeripath
When redirecting clean the path to avoid redirecting to //www.othersi…
e36e570 
…te.com (go-gitea#5669)

Fix go-gitea#5627

Signed-off-by: Andrew Thornton <[email protected]>
@zeripath zeripath mentioned this pull request Jan 11, 2019
Merged
techknowlogick pushed a commit that referenced this pull request Jan 12, 2019
@zeripath @techknowlogick
When redirecting clean the path to avoid redirecting to //www.othersi…
f5b43a6 
…te.com (#5669) (#5703)

Fix #5627

Signed-off-by: Andrew Thornton <[email protected]>
@jonasfranz jonasfranz mentioned this pull request Jan 16, 2019
Merged
@go-gitea go-gitea locked and limited conversation to collaborators Nov 24, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lunny lunny lunny approved these changes

+1 more reviewer

@adelowo adelowo adelowo approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug
Projects
None yet
Milestone
1.8.0
Development

Successfully merging this pull request may close these issues.

URL redirect may cause security problem
6 participants
@zeripath @codecov-io @techknowlogick @lunny @adelowo @bkcsoft