Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.
Sign upnet/http: Redirect only sanitizes relative but not absolute URIs #23961
Comments
urld
referenced this issue
Feb 20, 2018
Closed
net/http, x/net/http2: update RFC numbers used as normative references #21974
This comment has been minimized.
This comment has been minimized.
|
/cc @tombergan for any thoughts |
bradfitz
added this to the Go1.11 milestone
Feb 20, 2018
bradfitz
added
the
NeedsDecision
label
Feb 20, 2018
This comment has been minimized.
This comment has been minimized.
|
I think this is working as intended. Any cleaning we're doing is only because we try to absolute-ify any relative redirects. But if the user gave us a plausibly correct Location header (in that it's absolute-looking), then we just pass it through. |
bradfitz
closed this
May 29, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
urld commentedFeb 20, 2018
What version of Go are you using (
go version)?go version go1.10 linux/amd64
Does this issue reproduce with the latest release?
yes
What did you do?
Call http.Redirect with various URIs:
https://play.golang.org/p/Sjx3ktkGOSQ
What did you expect to see?
I expect the same uri sanitation happening on both relative and absolute redirects.
What did you see instead?
URIs for absolute Redirects are used as is, without any sanitation, while relative redirect uris
RFC 7231 (https://tools.ietf.org/html/rfc7231#section-7.1.2) does not seem to specify if the path contained in the Location header should be "clean".