net/http: Redirect only sanitizes relative but not absolute URIs #23961

urld · 2018-02-20T21:40:06Z

go version go1.10 linux/amd64

yes

Call http.Redirect with various URIs:

I expect the same uri sanitation happening on both relative and absolute redirects.

http://example.com/foo/
http://example.com/foo/
/foo/
/foo/

URIs for absolute Redirects are used as is, without any sanitation, while relative redirect uris

http://example.com/qux/../foo/
http://example.com/qux/../foo//
/foo/
/foo/

RFC 7231 (https://tools.ietf.org/html/rfc7231#section-7.1.2) does not seem to specify if the path contained in the Location header should be "clean".

bradfitz · 2018-02-20T22:24:41Z

/cc @tombergan for any thoughts

bradfitz · 2018-05-29T20:22:48Z

I think this is working as intended.

Any cleaning we're doing is only because we try to absolute-ify any relative redirects.

But if the user gave us a plausibly correct Location header (in that it's absolute-looking), then we just pass it through.

urld mentioned this issue Feb 20, 2018

net/http, x/net/http2: update RFC numbers used as normative references #21974

Closed

bradfitz added this to the Go1.11 milestone Feb 20, 2018

bradfitz added the NeedsDecision label Feb 20, 2018

bradfitz closed this May 29, 2018

golang locked and limited conversation to collaborators May 29, 2019

gopherbot added the FrozenDueToAge label May 29, 2019

golang / go