routes: fix open redirect vulnerability (#5355)

Reported by @cezar97.
author: Unknwon <u@gogs.io> 2018-09-28 23:19:08 -0400
committer: Unknwon <u@gogs.io> 2018-09-28 23:19:29 -0400
commit: bd7d1e2f169d6cdfecd952a1d3ed55d0f49f4104 (patch)
tree: c6c0b5db2afb16081f3aecc8f441f7618f824a91 /routes/user/auth.go
parent: aff0bbcc325d9564fcd2b08c2fd52281f0dfc486 (diff)
1 files changed, 3 insertions, 9 deletions
diff --git a/routes/user/auth.go b/routes/user/auth.go
index 0f4a490f..3140d9f9 100644
--- a/routes/user/auth.go
+++ b/routes/user/auth.go
@@ -17,6 +17,7 @@ import (
 	"github.com/gogs/gogs/pkg/form"
 	"github.com/gogs/gogs/pkg/mailer"
 	"github.com/gogs/gogs/pkg/setting"
+	"github.com/gogs/gogs/pkg/tool"
 )
 
 const (
@@ -72,13 +73,6 @@ func AutoLogin(c *context.Context) (bool, error) {
 	return true, nil
 }
 
-// isValidRedirect returns false if the URL does not redirect to same site.
-// False: //url, http://url, /\url
-// True: /url
-func isValidRedirect(url string) bool {
-	return len(url) >= 2 && url[0] == '/' && url[1] != '/' && url[1] != '\\'
-}
-
 func Login(c *context.Context) {
 	c.Title("sign_in")
 
@@ -97,7 +91,7 @@ func Login(c *context.Context) {
 	}
 
 	if isSucceed {
-		if isValidRedirect(redirectTo) {
+		if tool.IsSameSiteURLPath(redirectTo) {
 			c.Redirect(redirectTo)
 		} else {
 			c.SubURLRedirect("/")
@@ -143,7 +137,7 @@ func afterLogin(c *context.Context, u *models.User, remember bool) {
 
 	redirectTo, _ := url.QueryUnescape(c.GetCookie("redirect_to"))
 	c.SetCookie("redirect_to", "", -1, setting.AppSubURL)
-	if isValidRedirect(redirectTo) {
+	if tool.IsSameSiteURLPath(redirectTo) {
 		c.Redirect(redirectTo)
 		return
 	}
author	Unknwon <u@gogs.io>	2018-09-28 23:19:08 -0400
committer	Unknwon <u@gogs.io>	2018-09-28 23:19:29 -0400
commit	bd7d1e2f169d6cdfecd952a1d3ed55d0f49f4104 (patch)
tree	c6c0b5db2afb16081f3aecc8f441f7618f824a91 /routes/user/auth.go
parent	aff0bbcc325d9564fcd2b08c2fd52281f0dfc486 (diff)