zeripath 0b1686b67a

Prevent redirect to Host (2) (#19175) ...

Unhelpfully Locations starting with `/\` will be converted by the
browser to `//` because ... well I do not fully understand. Certainly
the RFCs and MDN do not indicate that this would be expected. Providing
"compatibility" with the (mis)behaviour of a certain proprietary OS is
my suspicion. However, we clearly have to protect against this.

Therefore we should reject redirection locations that match the regular
expression: `^/[\\\\/]+`

Reference #9678

Signed-off-by: Andrew Thornton <art27@cantab.net>

2022-03-23 16:12:36 +00:00

..

access_log.go

Pass down SignedUserName down to AccessLogger context (#16605)

2021-08-04 13:26:30 -04:00

api_org.go

Use a standalone struct name for Organization (#17632)

2021-11-19 19:41:40 +08:00

api_test.go

format with gofumpt (#18184)

2022-01-20 18:46:10 +01:00

api.go

Update HTTP status codes to modern codes (#18063)

2022-03-23 12:54:07 +08:00

auth.go

Renamed ctx.User to ctx.Doer. (#19161)

2022-03-22 15:03:22 +08:00

captcha.go

format with gofumpt (#18184)

2022-01-20 18:46:10 +01:00

context.go

Prevent redirect to Host (2) (#19175)

2022-03-23 16:12:36 +00:00

csrf.go

format with gofumpt (#18184)

2022-01-20 18:46:10 +01:00

form.go

Add config options to hide issue events (#17414)

2022-01-21 18:59:26 +01:00

org.go

Renamed ctx.User to ctx.Doer. (#19161)

2022-03-22 15:03:22 +08:00

pagination.go

Refactor admin user filter query parameters (#18965)

2022-03-02 16:30:14 +01:00

permission.go

Renamed ctx.User to ctx.Doer. (#19161)

2022-03-22 15:03:22 +08:00

private.go

format with gofumpt (#18184)

2022-01-20 18:46:10 +01:00

repo.go

Redirect .wiki/* ui link to /wiki (#18831)

2022-03-23 13:29:18 +00:00

response.go

format with gofumpt (#18184)

2022-01-20 18:46:10 +01:00

xsrf_test.go

Move macaron to chi (#14293)

2021-01-26 16:36:53 +01:00

xsrf.go

Move macaron to chi (#14293)

2021-01-26 16:36:53 +01:00