Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix open redirect check for more cases (#25143) #25155

Merged
merged 1 commit into from Jun 8, 2023
Merged

Fix open redirect check for more cases (#25143) #25155

merged 1 commit into from Jun 8, 2023

Conversation

lafriks
Copy link
Member

@lafriks lafriks commented Jun 8, 2023

Backport #25143

If redirect_to parameter has set value starting with \example.com redirect will be created with header Location: /\example.com that will redirect to example.com domain.

@lafriks
Fix open redirect check for more cases (go-gitea#25143)
303ecbe 
If redirect_to parameter has set value starting with `\\example.com`
redirect will be created with header `Location: /\\example.com` that
will redirect to example.com domain.
@lafriks lafriks added the topic/security Something leaks user information or is otherwise vulnerable. Should be fixed! label Jun 8, 2023
@lafriks lafriks added this to the 1.19.4 milestone Jun 8, 2023
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jun 8, 2023
@pull-request-size pull-request-size bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jun 8, 2023
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jun 8, 2023
@lafriks lafriks enabled auto-merge (squash) June 8, 2023 16:42
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jun 8, 2023
@lafriks lafriks merged commit a903005 into go-gitea:release/v1.19 Jun 8, 2023
2 checks passed
@techknowlogick techknowlogick deleted the fix/redirect_check branch June 8, 2023 17:03
Codeberg-org pushed a commit to Codeberg-org/gitea that referenced this pull request Jun 23, 2023
@lafriks @earl-warren
Fix open redirect check for more cases (go-gitea#25143) (go-gitea#25155)
a259a92 
Backport go-gitea#25143

If redirect_to parameter has set value starting with \\example.com
redirect will be created with header Location: /\\example.com that will
redirect to example.com domain.

(cherry picked from commit a903005)
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Sep 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@silverwind silverwind silverwind approved these changes

@techknowlogick techknowlogick techknowlogick approved these changes

Assignees
No one assigned
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. topic/security Something leaks user information or is otherwise vulnerable. Should be fixed!
Projects
None yet
Milestone
1.19.4
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@lafriks @silverwind @techknowlogick @GiteaBot