net/http: Redirect only sanitizes relative but not absolute URIs

[urld]

What version of Go are you using (go version)?

go version go1.10 linux/amd64

Does this issue reproduce with the latest release?

yes

What did you do?

Call http.Redirect with various URIs:

https://play.golang.org/p/Sjx3ktkGOSQ

What did you expect to see?

I expect the same uri sanitation happening on both relative and absolute redirects.

http://example.com/foo/
http://example.com/foo/
/foo/
/foo/

What did you see instead?

URIs for absolute Redirects are used as is, without any sanitation, while relative redirect uris

http://example.com/qux/../foo/
http://example.com/qux/../foo//
/foo/
/foo/

RFC 7231 (https://tools.ietf.org/html/rfc7231#section-7.1.2) does not seem to specify if the path contained in the Location header should be "clean".

[bradfitz]

/cc @tombergan for any thoughts

[bradfitz]

I think this is working as intended.

Any cleaning we're doing is only because we try to absolute-ify any relative redirects.

But if the user gave us a plausibly correct Location header (in that it's absolute-looking), then we just pass it through.