Fix double backslash open redirect (#1096)
This commit is contained in:
parent
58990ec762
commit
332fcb27d9
|
@ -87,7 +87,7 @@ class NextUrlSanitizer:
|
||||||
return replaced
|
return replaced
|
||||||
else:
|
else:
|
||||||
return None
|
return None
|
||||||
if result.path and result.path[0] == "/":
|
if result.path and result.path[0] == "/" and not result.path.startswith("//"):
|
||||||
return result.path
|
return result.path
|
||||||
|
|
||||||
return None
|
return None
|
||||||
|
|
|
@ -27,6 +27,7 @@ def generate_sanitize_url_cases() -> List:
|
||||||
["/auth", "/auth"],
|
["/auth", "/auth"],
|
||||||
["/some/path", "/some/path"],
|
["/some/path", "/some/path"],
|
||||||
["//somewhere.net", None],
|
["//somewhere.net", None],
|
||||||
|
["//\\\\evil.com", None],
|
||||||
]
|
]
|
||||||
for domain in ALLOWED_REDIRECT_DOMAINS:
|
for domain in ALLOWED_REDIRECT_DOMAINS:
|
||||||
cases.append([f"http://{domain}", f"http://{domain}"])
|
cases.append([f"http://{domain}", f"http://{domain}"])
|
||||||
|
|
Loading…
Reference in a new issue