Skip to content

Commit

Permalink
fileserver: Use safe redirects in file browser
Browse files Browse the repository at this point in the history
  • Loading branch information
@mholt
mholt committed Jul 7, 2022
1 parent f259ed5 commit c0f76e9
Showing 1 changed file with 1 addition and 3 deletions.
4 changes: 1 addition & 3 deletions modules/caddyhttp/fileserver/browse.go
View file
Expand Up @@ -67,9 +67,7 @@ func (fsrv *FileServer) serveBrowse(root, dirPath string, w http.ResponseWriter,
if r.URL.Path == "" || path.Base(origReq.URL.Path) == path.Base(r.URL.Path) {
if !strings.HasSuffix(origReq.URL.Path, "/") {
fsrv.logger.Debug("redirecting to trailing slash to preserve hrefs", zap.String("request_path", r.URL.Path))
origReq.URL.Path += "/"
http.Redirect(w, r, origReq.URL.String(), http.StatusMovedPermanently)
return nil
return redirect(w, r, origReq.URL.Path+"/")
}
}

Expand Down

1 comment on commit c0f76e9

@CHTJonas
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Credit for originally discovering this open redirect issue must go to Mayank Mukhi, who disclosed it to me and then I passed on to @mholt.

If anyone would like to tip their hat to say thanks, Mayank's PayPal is mukhianju3@gmail.com

Please sign in to comment.