Fix double backslash open redirect (#1096)
This commit is contained in:
parent
58990ec762
commit
332fcb27d9
|
@ -87,7 +87,7 @@ class NextUrlSanitizer:
|
|||
return replaced
|
||||
else:
|
||||
return None
|
||||
if result.path and result.path[0] == "/":
|
||||
if result.path and result.path[0] == "/" and not result.path.startswith("//"):
|
||||
return result.path
|
||||
|
||||
return None
|
||||
|
|
|
@ -27,6 +27,7 @@ def generate_sanitize_url_cases() -> List:
|
|||
["/auth", "/auth"],
|
||||
["/some/path", "/some/path"],
|
||||
["//somewhere.net", None],
|
||||
["//\\\\evil.com", None],
|
||||
]
|
||||
for domain in ALLOWED_REDIRECT_DOMAINS:
|
||||
cases.append([f"http://{domain}", f"http://{domain}"])
|
||||
|
|
Loading…
Reference in New Issue