Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Trailing slash middleware open redirect #1771

Closed
3 tasks done
GeoffreyFrogeye opened this issue Feb 10, 2021 · 1 comment
Closed
3 tasks done

Trailing slash middleware open redirect #1771

GeoffreyFrogeye opened this issue Feb 10, 2021 · 1 comment

Comments

@GeoffreyFrogeye
Copy link

GeoffreyFrogeye commented Feb 10, 2021

Issue Description

When using middleware.AddTrailingSlashWithConfig (resp middleware.RemoveTrailingSlashWithConfig) with a RedirectCode configured, it is possible to create open redirects with addresses like this one: http://my_echo_app.com/%5Cevil_website_com (resp http://my_echo_app.com/%5Cevil_website_com/).

Checklist

  • Dependencies installed
  • No typos
  • Searched existing issues and docs

Steps to reproduce

Expected behaviour

Obtain a 404 error, or anything as long as I stay on localhost:1232.

Actual behaviour

Being redirected to example.com.

Working code to debug

package main

import (
	"net/http"
	"github.com/labstack/echo/v4"
	"github.com/labstack/echo/v4/middleware"
)

func main() {
	e := echo.New()

	e.Use(middleware.AddTrailingSlashWithConfig(middleware.TrailingSlashConfig{
		RedirectCode: http.StatusMovedPermanently,
	}))

	e.Logger.Fatal(e.Start(":1323"))
}

This is basically the Full Go Example stripped down with the Custom Configuration example of the documentation on the Trailing Slash Middleware.

This also works with RemoveTrailingSlashWithConfig and the link http://localhost:1323/%5Cexample.com/.

Version/commit

Whatever is fetched by go get github.com/labstack/echo/v4 today (sorry, not super familiar with Go).

@aldas
Copy link
Contributor

aldas commented Feb 11, 2021

Seems that /\ is interpreted by browsers as // or \\ which is absolute uri https://stackoverflow.com/a/4661857/2514290

This is what Location header is:

curl -v http://localhost:1323/%5Cexample.com
*   Trying 127.0.0.1:1323...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 1323 (#0)
> GET /%5Cexample.com HTTP/1.1
> Host: localhost:1323
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: /\example.com/
< Date: Thu, 11 Feb 2021 09:33:31 GMT
< Content-Length: 0
< 
* Connection #0 to host localhost left intact

aldas added a commit to aldas/echo that referenced this issue Feb 11, 2021
@lammel lammel closed this as completed in f09f2bd Feb 11, 2021
# for free to join this conversation on GitHub. Already have an account? # to comment
Projects
None yet
Development

No branches or pull requests

2 participants