auth: ensure the redirect URL always starts with a single slash (#10167)

Co-Authored-By: Keegan Carruthers-Smith <keegan.csmith@gmail.com>
2026-02-06 19:21:50 +00:00 · 2020-04-24 18:06:39 +08:00 · 2020-04-24 18:06:39 +08:00 · bde46f4ae8
commit bde46f4ae8
parent 2555ef0e46
2 changed files with 14 additions and 9 deletions
--- a/cmd/frontend/auth/redirect.go
+++ b/cmd/frontend/auth/redirect.go
@ -2,6 +2,7 @@ package auth

 import (
 	"net/url"
+	"path"
 	"strings"
 )

@ -15,6 +16,9 @@ func SafeRedirectURL(urlStr string) string {
 		return "/"
 	}

+	// Make sure u.Path always starts with a single slash.
+	u.Path = path.Clean(u.Path)
+
 	// Only take certain known-safe fields.
 	u = &url.URL{Path: u.Path, RawQuery: u.RawQuery}
 	return u.String()
--- a/cmd/frontend/auth/redirect_test.go
+++ b/cmd/frontend/auth/redirect_test.go
@ -4,15 +4,16 @@ import "testing"

 func TestSafeRedirectURL(t *testing.T) {
 	tests := map[string]string{
-		"":               "/",
-		"/":              "/",
-		"a@b.com:c":      "/",
-		"a@b.com/c":      "/",
-		"//a":            "/",
-		"http://a.com/b": "/b",
-		"//a.com/b":      "/b",
-		"//a@b.com/c":    "/c",
-		"/a?b":           "/a?b",
+		"":                   "/",
+		"/":                  "/",
+		"a@b.com:c":          "/",
+		"a@b.com/c":          "/",
+		"//a":                "/",
+		"http://a.com/b":     "/b",
+		"//a.com/b":          "/b",
+		"//a@b.com/c":        "/c",
+		"/a?b":               "/a?b",
+		"//foo//example.com": "/example.com",
 	}
 	for input, want := range tests {
 		got := SafeRedirectURL(input)