Closed
Description
- Gogs version (or commit ref): <= 0.11.53.0603
- Can you reproduce the bug at https://try.gogs.io:
- Yes (provide example URL)
- No
- Not relevant
Description
The function isValidRedirect in gogs/routes/user/auth.go is used in login action to validate if url is on the same site.
// isValidRedirect returns false if the URL does not redirect to same site.
// False: //url, http://url
// True: /url
func isValidRedirect(url string) bool {
return len(url) >= 2 && url[0] == '/' && url[1] != '/'
}
If the Location header startswith /\, it will be transformed to // by browsers.
Check PoC here.
PoC gif:
A positive fix might looks like:
// isValidRedirect returns false if the URL does not redirect to same site.
// False: //url, http://url, /\url
// True: /url
func isValidRedirect(url string) bool {
return len(url) >= 2 && url[0] == '/' && url[1] != '/' && url[1] != '\\'
}
Discoverer: bluecatli from Tencent's Xuanwu Lab
