Skip to content

net/http: Redirect only sanitizes relative but not absolute URIs #23961

Closed
@urld

Description

@urld

What version of Go are you using (go version)?

go version go1.10 linux/amd64

Does this issue reproduce with the latest release?

yes

What did you do?

Call http.Redirect with various URIs:

https://play.golang.org/p/Sjx3ktkGOSQ

What did you expect to see?

I expect the same uri sanitation happening on both relative and absolute redirects.

http://example.com/foo/
http://example.com/foo/
/foo/
/foo/

What did you see instead?

URIs for absolute Redirects are used as is, without any sanitation, while relative redirect uris

http://example.com/qux/../foo/
http://example.com/qux/../foo//
/foo/
/foo/

RFC 7231 (https://tools.ietf.org/html/rfc7231#section-7.1.2) does not seem to specify if the path contained in the Location header should be "clean".

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsDecisionFeedback is required from experts, contributors, and/or the community before a change can be made.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions