From 5f7aa0a04de7ea96f9056bf79308206d99c0a7ec Mon Sep 17 00:00:00 2001 From: wozz Date: Fri, 20 Apr 2018 16:49:30 -0700 Subject: [PATCH 1/2] Fix open redirect Fix open redirect by using strings.Trim. Another option would be to use path.Clean similar to here, but I'm unsure of side effects that may have for this use case: https://github.com/golang/go/blob/master/src/net/http/server.go#L2034 See a PoC of this issue with this link: https://iris-go.com//google.com/ --- core/router/handler.go | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/core/router/handler.go b/core/router/handler.go index 323e693ea6..38b03a71a5 100644 --- a/core/router/handler.go +++ b/core/router/handler.go @@ -152,13 +152,14 @@ func (h *routerHandler) HandleRequest(ctx context.Context) { path := ctx.Path() if !ctx.Application().ConfigurationReadOnly().GetDisablePathCorrection() { - if len(path) > 1 && path[len(path)-1] == '/' { - // Remove trailing slash and client-permant rule for redirection, + if len(path) > 1 && strings.HasSuffix(path, '/') { + // Remove trailing slash and client-permanent rule for redirection, // if confgiuration allows that and path has an extra slash. // update the new path and redirect. r := ctx.Request() - path = path[:len(path)-1] + // use Trim to ensure there is no open redirect due to two leading slashes + path = "/" + strings.Trim(path, "/") r.URL.Path = path url := r.URL.String() From 0055eef35dafccae0cd414172296ea3d9a885448 Mon Sep 17 00:00:00 2001 From: wozz Date: Fri, 20 Apr 2018 16:56:12 -0700 Subject: [PATCH 2/2] Update handler.go --- core/router/handler.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/router/handler.go b/core/router/handler.go index 38b03a71a5..24ecfc5d74 100644 --- a/core/router/handler.go +++ b/core/router/handler.go @@ -152,7 +152,7 @@ func (h *routerHandler) HandleRequest(ctx context.Context) { path := ctx.Path() if !ctx.Application().ConfigurationReadOnly().GetDisablePathCorrection() { - if len(path) > 1 && strings.HasSuffix(path, '/') { + if len(path) > 1 && strings.HasSuffix(path, "/") { // Remove trailing slash and client-permanent rule for redirection, // if confgiuration allows that and path has an extra slash.