Closed
Description
What version of Go are you using (go version
)?
go version go1.10 linux/amd64
Does this issue reproduce with the latest release?
yes
What did you do?
Call http.Redirect with various URIs:
https://play.golang.org/p/Sjx3ktkGOSQ
What did you expect to see?
I expect the same uri sanitation happening on both relative and absolute redirects.
http://example.com/foo/
http://example.com/foo/
/foo/
/foo/
What did you see instead?
URIs for absolute Redirects are used as is, without any sanitation, while relative redirect uris
http://example.com/qux/../foo/
http://example.com/qux/../foo//
/foo/
/foo/
RFC 7231 (https://tools.ietf.org/html/rfc7231#section-7.1.2) does not seem to specify if the path contained in the Location header should be "clean".