Default regex tightened to address open URL redirection issue #346
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
It is possible to bypass the existing whitelist to redirect to a URL of an attacker's choosing using a schemaless URL. e.g. //github.com. This is because the current default regex whitelist checks only to ensure that the first character of the location header in the redirect request is a '/'. This has been assigned CVE-2015-8094, although no details have been released on it.
The changed regex is tightened to allow for '/' alone, but if more characters are found in the string, then the second character must be alphanumeric. No further restrictions are in place.
I'd like to encourage testing of this to ensure that the fix works as expected.