Prevent redirect to Host (2) (#19175) #19186

zeripath · 2022-03-23T16:13:43Z

Backport #19175

Unhelpfully Locations starting with /\ will be converted by the
browser to // because ... well I do not fully understand. Certainly
the RFCs and MDN do not indicate that this would be expected. Providing
"compatibility" with the (mis)behaviour of a certain proprietary OS is
my suspicion. However, we clearly have to protect against this.

Therefore we should reject redirection locations that match the regular
expression: ^/[\\\\/]+

Reference #9678

Signed-off-by: Andrew Thornton [email protected]

Backport go-gitea#19175 Unhelpfully Locations starting with `/\` will be converted by the browser to `//` because ... well I do not fully understand. Certainly the RFCs and MDN do not indicate that this would be expected. Providing "compatibility" with the (mis)behaviour of a certain proprietary OS is my suspicion. However, we clearly have to protect against this. Therefore we should reject redirection locations that match the regular expression: `^/[\\\\/]+` Reference go-gitea#9678 Signed-off-by: Andrew Thornton <[email protected]>

## [1.16.5](https://github.com/go-gitea/gitea/releases/tag/1.16.5) - 2022-03-23 * BREAKING * Bump to build with go1.18 (go-gitea#19120 et al) (go-gitea#19127) * SECURITY * Prevent redirect to Host (2) (go-gitea#19175) (go-gitea#19186) * Try to prevent autolinking of displaynames by email readers (go-gitea#19169) (go-gitea#19183) * Clean paths when looking in Storage (go-gitea#19124) (go-gitea#19179) * Do not send notification emails to inactive users (go-gitea#19131) (go-gitea#19139) * Do not send activation email if manual confirm is set (go-gitea#19119) (go-gitea#19122) * ENHANCEMENTS * Use the new/choose link for New Issue on project page (go-gitea#19172) (go-gitea#19176) * BUGFIXES * Fix compare link in active feeds for new branch (go-gitea#19149) (go-gitea#19185) * Redirect .wiki/* ui link to /wiki (go-gitea#18831) (go-gitea#19184) * Ensure deploy keys with write access can push (go-gitea#19010) (go-gitea#19182) * Ensure that setting.LocalURL always has a trailing slash (go-gitea#19171) (go-gitea#19177) * Cleanup protected branches when deleting users & teams (go-gitea#19158) (go-gitea#19174) * Use IterateBufferSize whilst querying repositories during adoption check (go-gitea#19140) (go-gitea#19160) * Fix NPE /repos/issues/search when not signed in (go-gitea#19154) (go-gitea#19155) * Use custom favicon when viewing static files if it exists (go-gitea#19130) (go-gitea#19152) * Fix the editor height in review box (go-gitea#19003) (go-gitea#19147) * Ensure isSSH is set whenever DISABLE_HTTP_GIT is set (go-gitea#19028) (go-gitea#19146) * Fix wrong scopes caused by empty scope input (go-gitea#19029) (go-gitea#19145) * Make migrations SKIP_TLS_VERIFY apply to git too (go-gitea#19132) (go-gitea#19141) * Handle email address not exist (go-gitea#19089) (go-gitea#19121) * MISC * Update json-iterator to allow compilation with go1.18 (go-gitea#18644) (go-gitea#19100) * Update golang.org/x/crypto (go-gitea#19097) (go-gitea#19098) Signed-off-by: Andrew Thornton <[email protected]>

…se/v1.16 * giteaofficial/release/v1.16: (53 commits) Bump goldmark to v1.4.11 (go-gitea#19201) (go-gitea#19203) Changelog for 1.16.5 (go-gitea#19189) Fix showing issues in your repositories (go-gitea#18916) (go-gitea#19191) Prevent redirect to Host (2) (go-gitea#19175) (go-gitea#19186) Fix compare link in active feeds for new branch (go-gitea#19149) (go-gitea#19185) Redirect .wiki/* ui link to /wiki (go-gitea#18831) (go-gitea#19184) Prevent start panic due to missing DotEscape function Fix the bug: deploy key with write access can not push (go-gitea#19010) (go-gitea#19182) Try to prevent autolinking of displaynames by email readers (go-gitea#19169) (go-gitea#19183) Clean paths when looking in Storage (go-gitea#19124) (go-gitea#19179) Cleanup protected branches when deleting users & teams (go-gitea#19158) (go-gitea#19174) Ensure that setting.LocalURL always has a trailing slash (go-gitea#19171) (go-gitea#19177) Use the new/choose link for New Issue on project page (go-gitea#19172) (go-gitea#19176) Use IterateBufferSize whilst querying repositories during adoption check (go-gitea#19140) (go-gitea#19160) Ensure isSSH is set whenever DISABLE_HTTP_GIT is set (go-gitea#19028) (go-gitea#19146) Use custom favicon when viewing static files if it exists (go-gitea#19130) (go-gitea#19152) Fix NPE /repos/issues/search when not signed in (go-gitea#19154) (go-gitea#19155) Fix wrong scopes caused by empty scope input (go-gitea#19029) (go-gitea#19145) Fix the editor height in review box (go-gitea#19003) (go-gitea#19147) Do not send notification emails to inactive users (go-gitea#19131) (go-gitea#19139) ...

zeripath added the kind/bug label Mar 23, 2022

zeripath added this to the 1.16.5 milestone Mar 23, 2022

Merge branch 'release/v1.16' into backport-19175-v1.16

b66b708

silverwind approved these changes Mar 23, 2022

View changes

GiteaBot added the lgtm/need 1 label Mar 23, 2022

Merge branch 'release/v1.16' into backport-19175-v1.16

f735748

KN4CK3R approved these changes Mar 23, 2022

View changes

GiteaBot added lgtm/done and removed lgtm/need 1 labels Mar 23, 2022

zeripath merged commit e3d8e92 into go-gitea:release/v1.16 Mar 23, 2022
2 checks passed

zeripath deleted the backport-19175-v1.16 branch Mar 23, 2022

zeripath added the kind/security label Mar 23, 2022

zeripath mentioned this pull request Mar 23, 2022

Changelog for 1.16.5 #19189

Merged

Mar	APR	Jun
	03
2021	2022	2024

go-gitea / gitea Public

Prevent redirect to Host (2) (#19175) #19186

Prevent redirect to Host (2) (#19175) #19186

zeripath commented Mar 23, 2022

go-gitea / gitea Public

Prevent redirect to Host (2) (#19175) #19186

Prevent redirect to Host (2) (#19175) #19186

Conversation

zeripath commented Mar 23, 2022