forgejo/modules/context
zeripath e3d8e92bdc
Prevent redirect to Host (2) (#19175) (#19186)
Backport #19175

Unhelpfully Locations starting with `/\` will be converted by the
browser to `//` because ... well I do not fully understand. Certainly
the RFCs and MDN do not indicate that this would be expected. Providing
"compatibility" with the (mis)behaviour of a certain proprietary OS is
my suspicion. However, we clearly have to protect against this.

Therefore we should reject redirection locations that match the regular
expression: `^/[\\\\/]+`

Reference #9678

Signed-off-by: Andrew Thornton <art27@cantab.net>
2022-03-23 20:01:23 +00:00
..
access_log.go Pass down SignedUserName down to AccessLogger context (#16605) 2021-08-04 13:26:30 -04:00
api.go Refactor auth package (#17962) 2022-01-02 21:12:35 +08:00
api_org.go Use a standalone struct name for Organization (#17632) 2021-11-19 19:41:40 +08:00
api_test.go
auth.go Refactor auth package (#17962) 2022-01-02 21:12:35 +08:00
captcha.go Fix captcha (#14488) 2021-01-27 22:56:54 +08:00
context.go Prevent redirect to Host (2) (#19175) (#19186) 2022-03-23 20:01:23 +00:00
csrf.go Redirect on bad CSRF instead of presenting bad page (#14937) 2021-07-08 15:57:24 +02:00
form.go Rename ctx.Form() to ctx.FormString() and move code into own file (#16571) 2021-08-11 02:31:13 +02:00
org.go Allow adminstrator teams members to see other teams (#18918) (#18919) 2022-02-26 22:45:34 +01:00
pagination.go Refactor admin user filter query parameters (#18965) (#18975) 2022-03-02 19:57:18 +01:00
permission.go Move unit into models/unit/ (#17576) 2021-11-09 20:57:58 +01:00
private.go Update docs and comments to remove macaron (#14491) 2021-01-29 16:35:30 +01:00
repo.go Redirect .wiki/* ui link to /wiki (#18831) (#19184) 2022-03-23 16:46:08 +00:00
response.go Stop calling WriteHeader in Write (#15862) 2021-05-14 11:05:50 +03:00
xsrf.go Move macaron to chi (#14293) 2021-01-26 16:36:53 +01:00
xsrf_test.go Move macaron to chi (#14293) 2021-01-26 16:36:53 +01:00