Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Do not strip leading slash from path #1511
referenced this pull request
May 12, 2017
This may be relevant:
Note "zero or more", so "//" is valid in a URL and I guess distinct from "/". We probably shouldn't strip it unless we have a good reason to.
By the way, it fixes security issue: if we configure reverse proxy for gunicorn app that denies access to '/admin/', then an attacker can bypass this rule by requesting 'https://example.org//admin/'.
We patched our proxy configurations to redirect requests from '//+(.+)' to '/$1' but there could be more apps with such vulnerability.