Hri7566
/
gitea
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity
gitea/modules
History
zeripath 0b1686b67a
Prevent redirect to Host (2) (#19175) 
Unhelpfully Locations starting with `/\` will be converted by the
browser to `//` because ... well I do not fully understand. Certainly
the RFCs and MDN do not indicate that this would be expected. Providing
"compatibility" with the (mis)behaviour of a certain proprietary OS is
my suspicion. However, we clearly have to protect against this.

Therefore we should reject redirection locations that match the regular
expression: `^/[\\\\/]+`

Reference #9678

Signed-off-by: Andrew Thornton <art27@cantab.net>
 		2022-03-23 16:12:36 +00:00
..
activitypub
analyze
appstate
auth RSS/Atom support for Repos (#19055) 2022-03-13 17:40:47 +01:00
avatar
base
cache
charset
context Prevent redirect to Host (2) (#19175) 2022-03-23 16:12:36 +00:00
convert API: Return primary language and repository language stats API URL (#18396) 2022-01-25 08:33:40 +02:00
csv
doctor Use `ctx` instead of `db.DefaultContext` in some packages(routers/services/modules) (#19163) 2022-03-22 16:22:54 +01:00
emoji
eventsource Simplify parameter types (#18006) 2021-12-20 04:41:31 +00:00
generate
git Make migrations SKIP_TLS_VERIFY apply to git too (#19132) 2022-03-19 14:16:38 +00:00
gitgraph Change git.cmd to RunWithContext (#18693) 2022-02-11 13:47:22 +01:00
graceful Immediately Hammer if second kill is sent (#18823) 2022-02-19 16:36:25 +00:00
hcaptcha
highlight
hostmatcher remove not needed (#19128) 2022-03-18 20:17:57 +01:00
httpcache
httplib refactor httplib (#18338) 2022-01-19 19:31:39 -05:00
indexer
json
lfs Update HTTP status codes to modern codes (#18063) 2022-03-23 12:54:07 +08:00
log migrations: add test for importing pull requests in gitea uploader (#18752) 2022-02-25 17:20:50 +08:00
markup nit fix (#19116) 2022-03-17 20:04:36 +02:00
metrics
migration Store the foreign ID of issues during migration (#18446) 2022-03-17 18:08:35 +01:00
nosql
notification
options
password
pprof
private Update HTTP status codes to modern codes (#18063) 2022-03-23 12:54:07 +08:00
process
proxy
public
queue Add number in queue status to monitor page (#18712) 2022-02-12 13:31:26 +08:00
recaptcha
references
repository Use `ctx` instead of `db.DefaultContext` in some packages(routers/services/modules) (#19163) 2022-03-22 16:22:54 +01:00
secret
session
setting Ensure that setting.LocalURL always has a trailing slash (#19171) 2022-03-22 16:59:57 +00:00
ssh Update golang.org/x/crypto (#19097) 2022-03-16 02:59:53 +01:00
storage Clean paths when looking in Storage (#19124) 2022-03-22 17:02:26 -04:00
structs Add config option to disable "Update branch by rebase" (#18745) 2022-03-04 03:30:49 -05:00
svg
sync
templates Prevent start panic due to missing DotEscape function 2022-03-23 16:08:27 +00:00
test Use `ctx` instead of `db.DefaultContext` in some packages(routers/services/modules) (#19163) 2022-03-22 16:22:54 +01:00
timeutil format with gofumpt (#18184) 2022-01-20 18:46:10 +01:00
translation
typesniffer
updatechecker
upload
uri
user
util Cleanup protected branches when deleting users & teams (#19158) 2022-03-22 09:09:45 +08:00
validation
web Update HTTP status codes to modern codes (#18063) 2022-03-23 12:54:07 +08:00