Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insecure function isValidRedirect leads to open redirect vulnerability #5364

Closed
1 of 3 tasks
chromium1337 opened this issue Aug 6, 2018 · 1 comment
Closed
1 of 3 tasks

Insecure function isValidRedirect leads to open redirect vulnerability #5364

chromium1337 opened this issue Aug 6, 2018 · 1 comment
Labels
💊 bug Something isn't working status: needs feedback Tell me more about it

Comments

@chromium1337
Copy link
Contributor

chromium1337 commented Aug 6, 2018
edited
Loading

  • Gogs version (or commit ref): <= 0.11.53.0603
  • Can you reproduce the bug at https://try.gogs.io:
    • Yes (provide example URL)
    • No
    • Not relevant

Description

The function isValidRedirect in gogs/routes/user/auth.go is used in login action to validate if url is on the same site.

// isValidRedirect returns false if the URL does not redirect to same site.
// False: //url, http://url
// True: /url
func isValidRedirect(url string) bool {
	return len(url) >= 2 && url[0] == '/' && url[1] != '/'
}

If the Location header startswith /\, it will be transformed to // by browsers.

Check PoC here.
PoC gif:
Imgur

A positive fix might looks like:

// isValidRedirect returns false if the URL does not redirect to same site.
// False: //url, http://url, /\url
// True: /url
func isValidRedirect(url string) bool {
	return len(url) >= 2 && url[0] == '/' && url[1] != '/' && url[1] != '\\'
}

Discoverer: bluecatli from Tencent's Xuanwu Lab
@chromium1337 chromium1337 mentioned this issue Aug 6, 2018
Merged
@unknwon unknwon added 💊 bug Something isn't working status: needs feedback Tell me more about it labels Aug 6, 2018
@unknwon unknwon added this to the 0.12 milestone Aug 6, 2018
unknwon pushed a commit that referenced this issue Aug 6, 2018
@chromium1337 @unknwon
routes: fix open redirect vulnerability #5364 (#5365)
1f247cf
@unknwon
Copy link
Member

unknwon commented Aug 6, 2018

This is claimed to be fixed by merging #5365, please help test on develop branch.

@unknwon unknwon closed this as completed Sep 16, 2018
@unknwon unknwon removed this from the 0.13 milestone Nov 26, 2019
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 22, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
💊 bug Something isn't working status: needs feedback Tell me more about it
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@unknwon @chromium1337