Skip to content

Insecure function isValidRedirect leads to open redirect vulnerability  #5364

Closed
@chromium1337

Description

@chromium1337
  • Gogs version (or commit ref): <= 0.11.53.0603
  • Can you reproduce the bug at https://try.gogs.io:
    • Yes (provide example URL)
    • No
    • Not relevant

Description

The function isValidRedirect in gogs/routes/user/auth.go is used in login action to validate if url is on the same site.

// isValidRedirect returns false if the URL does not redirect to same site.
// False: //url, http://url
// True: /url
func isValidRedirect(url string) bool {
	return len(url) >= 2 && url[0] == '/' && url[1] != '/'
}

If the Location header startswith /\, it will be transformed to // by browsers.

Check PoC here.
PoC gif:
Imgur

A positive fix might looks like:

// isValidRedirect returns false if the URL does not redirect to same site.
// False: //url, http://url, /\url
// True: /url
func isValidRedirect(url string) bool {
	return len(url) >= 2 && url[0] == '/' && url[1] != '/' && url[1] != '\\'
}

Discoverer: bluecatli from Tencent's Xuanwu Lab

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions