-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
Trailing slash middleware open redirect #1771
Labels
Comments
Seems that This is what curl -v http://localhost:1323/%5Cexample.com
* Trying 127.0.0.1:1323...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 1323 (#0)
> GET /%5Cexample.com HTTP/1.1
> Host: localhost:1323
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: /\example.com/
< Date: Thu, 11 Feb 2021 09:33:31 GMT
< Content-Length: 0
<
* Connection #0 to host localhost left intact |
aldas
added a commit
to aldas/echo
that referenced
this issue
Feb 11, 2021
…emoveTrailingSlashWithConfig (fix labstack#1771)
This was referenced Mar 14, 2021
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Issue Description
When using
middleware.AddTrailingSlashWithConfig
(respmiddleware.RemoveTrailingSlashWithConfig
) with aRedirectCode
configured, it is possible to create open redirects with addresses like this one:http://my_echo_app.com/%5Cevil_website_com
(resphttp://my_echo_app.com/%5Cevil_website_com/
).Checklist
Steps to reproduce
Expected behaviour
Obtain a 404 error, or anything as long as I stay on localhost:1232.
Actual behaviour
Being redirected to
example.com
.Working code to debug
This is basically the Full Go Example stripped down with the Custom Configuration example of the documentation on the Trailing Slash Middleware.
This also works with
RemoveTrailingSlashWithConfig
and the link http://localhost:1323/%5Cexample.com/.Version/commit
Whatever is fetched by
go get github.com/labstack/echo/v4
today (sorry, not super familiar with Go).The text was updated successfully, but these errors were encountered: