0
0
Fork 0
mirror of https://github.com/go-gitea/gitea synced 2024-12-25 21:54:48 +01:00
gitea/modules
zeripath 0b1686b67a
Prevent redirect to Host (2) (#19175)
Unhelpfully Locations starting with `/\` will be converted by the
browser to `//` because ... well I do not fully understand. Certainly
the RFCs and MDN do not indicate that this would be expected. Providing
"compatibility" with the (mis)behaviour of a certain proprietary OS is
my suspicion. However, we clearly have to protect against this.

Therefore we should reject redirection locations that match the regular
expression: `^/[\\\\/]+`

Reference #9678

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-03-23 16:12:36 +00:00
..
activitypub
analyze
appstate
auth
avatar
base
cache
charset
context Prevent redirect to Host (2) (#19175) 2022-03-23 16:12:36 +00:00
convert
csv
doctor Use ctx instead of db.DefaultContext in some packages(routers/services/modules) (#19163) 2022-03-22 16:22:54 +01:00
emoji
eventsource
generate
git Make migrations SKIP_TLS_VERIFY apply to git too (#19132) 2022-03-19 14:16:38 +00:00
gitgraph
graceful
hcaptcha
highlight
hostmatcher remove not needed (#19128) 2022-03-18 20:17:57 +01:00
httpcache format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
httplib
indexer
json
lfs Update HTTP status codes to modern codes (#18063) 2022-03-23 12:54:07 +08:00
log
markup nit fix (#19116) 2022-03-17 20:04:36 +02:00
metrics
migration Store the foreign ID of issues during migration (#18446) 2022-03-17 18:08:35 +01:00
nosql
notification
options
password
pprof
private Update HTTP status codes to modern codes (#18063) 2022-03-23 12:54:07 +08:00
process
proxy
public
queue
recaptcha
references
repository Use ctx instead of db.DefaultContext in some packages(routers/services/modules) (#19163) 2022-03-22 16:22:54 +01:00
secret
session
setting Ensure that setting.LocalURL always has a trailing slash (#19171) 2022-03-22 16:59:57 +00:00
ssh
storage Clean paths when looking in Storage (#19124) 2022-03-22 17:02:26 -04:00
structs
svg
sync
templates Prevent start panic due to missing DotEscape function 2022-03-23 16:08:27 +00:00
test Use ctx instead of db.DefaultContext in some packages(routers/services/modules) (#19163) 2022-03-22 16:22:54 +01:00
timeutil
translation
typesniffer
updatechecker
upload
uri
user
util Cleanup protected branches when deleting users & teams (#19158) 2022-03-22 09:09:45 +08:00
validation
web Update HTTP status codes to modern codes (#18063) 2022-03-23 12:54:07 +08:00