net/http: Redirect hardening #71161
Description
The http.Redirect function writes a 3xx redirect to a ResponseWriter.
Redirect takes a URL parameter, of type string. The URL parameter has only minimal sanitization applied, and is not safe for use with attacker-controlled inputs.
One example of possibly-surprising behavior is that a redirect to \\example.com is a relative-path reference according to RFC 3986, but will be interpreted by most browsers as a network-path reference. /\example.com is an absolute-path reference according to the RFC, but will also be interpreted by browsers as a network-path reference. (Thanks to Jingcheng Yang (Sichuan University), Enze Wang@IPASSLAB(@zer0yu), Jianjun Chen (Tsinghua University & Zhongguancun Laboratory) for reporting this case.)
We should document that Redirect does not sanitize its URL parameter. Users who wish to use Redirect with untrusted URLs should parse the URL with net/url, perform whatever validation they may wish, and then reassemble the parsed and validated URL into a string with net/url.URL.String.
We should also consider, as a hardening measure, %-encoding backslashes at the start of Redirect's URL parameter to prevent browsers from interpreting them as part of an absolute-path reference.