From bd7d1e2f169d6cdfecd952a1d3ed55d0f49f4104 Mon Sep 17 00:00:00 2001
From: Unknwon <u@gogs.io>
Date: Fri, 28 Sep 2018 23:19:08 -0400
Subject: routes: fix open redirect vulnerability (#5355)

Reported by @cezar97.
---
 routes/repo/branch.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'routes/repo/branch.go')

diff --git a/routes/repo/branch.go b/routes/repo/branch.go
index 432ebe86..e24df65a 100644
--- a/routes/repo/branch.go
+++ b/routes/repo/branch.go
@@ -14,6 +14,7 @@ import (
 
 	"github.com/gogs/gogs/models"
 	"github.com/gogs/gogs/pkg/context"
+	"github.com/gogs/gogs/pkg/tool"
 )
 
 const (
@@ -112,7 +113,7 @@ func DeleteBranchPost(c *context.Context) {
 
 	defer func() {
 		redirectTo := c.Query("redirect_to")
-		if len(redirectTo) == 0 {
+		if !tool.IsSameSiteURLPath(redirectTo) {
 			redirectTo = c.Repo.RepoLink
 		}
 		c.Redirect(redirectTo)
-- 
cgit v1.2.3