net/http: Redirect only sanitizes relative but not absolute URIs #23961
Labels
Milestone
Comments
/cc @tombergan for any thoughts |
I think this is working as intended. Any cleaning we're doing is only because we try to absolute-ify any relative redirects. But if the user gave us a plausibly correct Location header (in that it's absolute-looking), then we just pass it through. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
What version of Go are you using (
go version
)?go version go1.10 linux/amd64
Does this issue reproduce with the latest release?
yes
What did you do?
Call http.Redirect with various URIs:
https://play.golang.org/p/Sjx3ktkGOSQ
What did you expect to see?
I expect the same uri sanitation happening on both relative and absolute redirects.
What did you see instead?
URIs for absolute Redirects are used as is, without any sanitation, while relative redirect uris
RFC 7231 (https://tools.ietf.org/html/rfc7231#section-7.1.2) does not seem to specify if the path contained in the Location header should be "clean".
The text was updated successfully, but these errors were encountered: