Skip to content

Comments

Prevent redirect bypasses via backslash-encoded paths (#36660)#36716

Merged
silverwind merged 1 commit intogo-gitea:release/v1.25from
GiteaBot:backport-36660-v1.25
Feb 23, 2026
Merged

Prevent redirect bypasses via backslash-encoded paths (#36660)#36716
silverwind merged 1 commit intogo-gitea:release/v1.25from
GiteaBot:backport-36660-v1.25

Conversation

@GiteaBot
Copy link
Collaborator

@GiteaBot GiteaBot commented Feb 22, 2026

Backport #36660 by @lunny

This change tightens relative URL validation to reject raw backslashes and %5c (encoded backslash), since browsers and URL normalizers can treat backslashes as path separators. That normalization can turn seemingly relative paths into scheme-relative URLs, creating open-redirect risk.

Visiting below URL to reproduce the problem.

http://localhost:3000/user/login?redirect_to=/a/../\example.com

http://localhost:3000/user/login?redirect_to=/a/../%5cexample.com

@lunny @silverwind
@claude @wxiaoguang @GiteaBot
Prevent redirect bypasses via backslash-encoded paths (go-gitea#36660)
08a9b23 
This change tightens relative URL validation to reject raw backslashes
and `%5c` (encoded backslash), since browsers and URL normalizers can
treat backslashes as path separators. That normalization can turn
seemingly relative paths into scheme-relative URLs, creating
open-redirect risk.

Visiting below URL to reproduce the problem.

http://localhost:3000/user/login?redirect_to=/a/../\example.com

http://localhost:3000/user/login?redirect_to=/a/../%5cexample.com

---------

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
@GiteaBot GiteaBot added modifies/go Pull requests that update Go code type/bug labels Feb 22, 2026
@GiteaBot GiteaBot added this to the 1.25.5 milestone Feb 22, 2026
@GiteaBot GiteaBot requested a review from silverwind February 22, 2026 22:56
@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Feb 22, 2026
@GiteaBot GiteaBot requested a review from Zettat123 February 22, 2026 22:56
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Feb 22, 2026
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Feb 23, 2026
@silverwind silverwind merged commit 2aee44c into go-gitea:release/v1.25 Feb 23, 2026
26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lunny lunny lunny approved these changes

@silverwind silverwind silverwind approved these changes

@Zettat123 Zettat123 Awaiting requested review from Zettat123

Assignees

@lunny lunny

Labels

lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code type/bug

Projects

None yet

Milestone

1.25.5

Development

Successfully merging this pull request may close these issues.

3 participants

@GiteaBot @lunny @silverwind