forgejo/modules
zeripath 0b1686b67a
Prevent redirect to Host (2) (#19175)
Unhelpfully Locations starting with `/\` will be converted by the
browser to `//` because ... well I do not fully understand. Certainly
the RFCs and MDN do not indicate that this would be expected. Providing
"compatibility" with the (mis)behaviour of a certain proprietary OS is
my suspicion. However, we clearly have to protect against this.

Therefore we should reject redirection locations that match the regular
expression: `^/[\\\\/]+`

Reference #9678

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-03-23 16:12:36 +00:00
..
activitypub
analyze
appstate
auth RSS/Atom support for Repos (#19055) 2022-03-13 17:40:47 +01:00
avatar
base
cache
charset Don't treat BOM escape sequence as hidden character. (#18909) 2022-02-26 16:48:23 +00:00
context Prevent redirect to Host (2) (#19175) 2022-03-23 16:12:36 +00:00
convert
csv
doctor Use ctx instead of db.DefaultContext in some packages(routers/services/modules) (#19163) 2022-03-22 16:22:54 +01:00
emoji
eventsource
generate
git Make migrations SKIP_TLS_VERIFY apply to git too (#19132) 2022-03-19 14:16:38 +00:00
gitgraph Change git.cmd to RunWithContext (#18693) 2022-02-11 13:47:22 +01:00
graceful Immediately Hammer if second kill is sent (#18823) 2022-02-19 16:36:25 +00:00
hcaptcha
highlight
hostmatcher remove not needed (#19128) 2022-03-18 20:17:57 +01:00
httpcache
httplib
indexer Prevent Stats Indexer reporting error if repo dir missing (#18870) 2022-02-24 23:22:09 -05:00
json
lfs Update HTTP status codes to modern codes (#18063) 2022-03-23 12:54:07 +08:00
log migrations: add test for importing pull requests in gitea uploader (#18752) 2022-02-25 17:20:50 +08:00
markup nit fix (#19116) 2022-03-17 20:04:36 +02:00
metrics
migration Store the foreign ID of issues during migration (#18446) 2022-03-17 18:08:35 +01:00
nosql [API] Allow removing issues (#18879) 2022-03-01 01:20:15 +01:00
notification [API] Allow removing issues (#18879) 2022-03-01 01:20:15 +01:00
options
password
pprof
private Update HTTP status codes to modern codes (#18063) 2022-03-23 12:54:07 +08:00
process
proxy
public
queue Add number in queue status to monitor page (#18712) 2022-02-12 13:31:26 +08:00
recaptcha
references
repository Use ctx instead of db.DefaultContext in some packages(routers/services/modules) (#19163) 2022-03-22 16:22:54 +01:00
secret
session
setting Ensure that setting.LocalURL always has a trailing slash (#19171) 2022-03-22 16:59:57 +00:00
ssh Update golang.org/x/crypto (#19097) 2022-03-16 02:59:53 +01:00
storage Clean paths when looking in Storage (#19124) 2022-03-22 17:02:26 -04:00
structs Add config option to disable "Update branch by rebase" (#18745) 2022-03-04 03:30:49 -05:00
svg
sync
templates Prevent start panic due to missing DotEscape function 2022-03-23 16:08:27 +00:00
test Use ctx instead of db.DefaultContext in some packages(routers/services/modules) (#19163) 2022-03-22 16:22:54 +01:00
timeutil
translation Refactor i18n, use Locale to provide i18n/translation related functions (#18648) 2022-02-08 11:02:30 +08:00
typesniffer
updatechecker
upload
uri
user
util Cleanup protected branches when deleting users & teams (#19158) 2022-03-22 09:09:45 +08:00
validation
web Update HTTP status codes to modern codes (#18063) 2022-03-23 12:54:07 +08:00