New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Insecure function `isValidRedirect` leads to open redirect vulnerability #5364

Closed
chromium1337 opened this Issue Aug 6, 2018 · 1 comment

Comments

2 participants
@chromium1337
Contributor

chromium1337 commented Aug 6, 2018

  • Gogs version (or commit ref): <= 0.11.53.0603
  • Can you reproduce the bug at https://try.gogs.io:
    • Yes (provide example URL)
    • No
    • Not relevant

Description

The function isValidRedirect in gogs/routes/user/auth.go is used in login action to validate if url is on the same site.

// isValidRedirect returns false if the URL does not redirect to same site.
// False: //url, http://url
// True: /url
func isValidRedirect(url string) bool {
	return len(url) >= 2 && url[0] == '/' && url[1] != '/'
}

If the Location header startswith /\, it will be transformed to // by browsers.

Check PoC here.
PoC gif:
Imgur

A positive fix might looks like:

// isValidRedirect returns false if the URL does not redirect to same site.
// False: //url, http://url, /\url
// True: /url
func isValidRedirect(url string) bool {
	return len(url) >= 2 && url[0] == '/' && url[1] != '/' && url[1] != '\\'
}

Discoverer: bluecatli from Tencent's Xuanwu Lab

@Unknwon Unknwon added this to the 0.12 milestone Aug 6, 2018

Unknwon added a commit that referenced this issue Aug 6, 2018

@Unknwon

This comment has been minimized.

Show comment
Hide comment
@Unknwon

Unknwon Aug 6, 2018

Member

This is claimed to be fixed by merging #5365, please help test on develop branch.

Member

Unknwon commented Aug 6, 2018

This is claimed to be fixed by merging #5365, please help test on develop branch.

@Unknwon Unknwon closed this Sep 16, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment