go-packages/iris
1
0
Fork 0
mirror of https://github.com/kataras/iris.git synced 2025-01-23 18:51:03 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix open redirect

Browse Source 
Fix open redirect by using strings.Trim.

Another option would be to use path.Clean similar to here, but I'm unsure of side effects that may have for this use case: https://github.com/golang/go/blob/master/src/net/http/server.go#L2034

See a PoC of this issue with this link: https://iris-go.com//google.com/

Former-commit-id: fa422e436353a7e0699f0b346f3679455c5d965b
This commit is contained in:
wozz 2018-04-20 16:49:30 -07:00 committed by GitHub
parent cb69df2ccf
commit 923d151190
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
core/router/handler.go
View File

@ -152,13 +152,14 @@ func (h *routerHandler) HandleRequest(ctx context.Context) {
path := ctx.Path() path := ctx.Path()
if !ctx.Application().ConfigurationReadOnly().GetDisablePathCorrection() { if !ctx.Application().ConfigurationReadOnly().GetDisablePathCorrection() {
if len(path) > 1 && path[len(path)-1] == '/' { if len(path) > 1 && strings.HasSuffix(path, '/') {
// Remove trailing slash and client-permant rule for redirection, // Remove trailing slash and client-permanent rule for redirection,
// if confgiuration allows that and path has an extra slash. // if confgiuration allows that and path has an extra slash.
// update the new path and redirect. // update the new path and redirect.
r := ctx.Request() r := ctx.Request()
path = path[:len(path)-1] // use Trim to ensure there is no open redirect due to two leading slashes
path = "/" + strings.Trim(path, "/")
r.URL.Path = path r.URL.Path = path
url := r.URL.String() url := r.URL.String()