From 923d15119002d20b86366d16a2c1522d21ecf471 Mon Sep 17 00:00:00 2001 From: wozz Date: Fri, 20 Apr 2018 16:49:30 -0700 Subject: [PATCH 1/2] Fix open redirect Fix open redirect by using strings.Trim. Another option would be to use path.Clean similar to here, but I'm unsure of side effects that may have for this use case: https://github.com/golang/go/blob/master/src/net/http/server.go#L2034 See a PoC of this issue with this link: https://iris-go.com//google.com/ Former-commit-id: fa422e436353a7e0699f0b346f3679455c5d965b --- core/router/handler.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/core/router/handler.go b/core/router/handler.go index 323e693e..38b03a71 100644 --- a/core/router/handler.go +++ b/core/router/handler.go @@ -152,13 +152,14 @@ func (h *routerHandler) HandleRequest(ctx context.Context) { path := ctx.Path() if !ctx.Application().ConfigurationReadOnly().GetDisablePathCorrection() { - if len(path) > 1 && path[len(path)-1] == '/' { - // Remove trailing slash and client-permant rule for redirection, + if len(path) > 1 && strings.HasSuffix(path, '/') { + // Remove trailing slash and client-permanent rule for redirection, // if confgiuration allows that and path has an extra slash. // update the new path and redirect. r := ctx.Request() - path = path[:len(path)-1] + // use Trim to ensure there is no open redirect due to two leading slashes + path = "/" + strings.Trim(path, "/") r.URL.Path = path url := r.URL.String() From 21a31afb55f27b9fecaa8ba5bf7cc1431d89f96e Mon Sep 17 00:00:00 2001 From: wozz Date: Fri, 20 Apr 2018 16:56:12 -0700 Subject: [PATCH 2/2] Update handler.go Former-commit-id: f6bd29025c97d04b058584fecb8e0fee91021cb1 --- core/router/handler.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/router/handler.go b/core/router/handler.go index 38b03a71..24ecfc5d 100644 --- a/core/router/handler.go +++ b/core/router/handler.go @@ -152,7 +152,7 @@ func (h *routerHandler) HandleRequest(ctx context.Context) { path := ctx.Path() if !ctx.Application().ConfigurationReadOnly().GetDisablePathCorrection() { - if len(path) > 1 && strings.HasSuffix(path, '/') { + if len(path) > 1 && strings.HasSuffix(path, "/") { // Remove trailing slash and client-permanent rule for redirection, // if confgiuration allows that and path has an extra slash.