0b1686b67a
Unhelpfully Locations starting with `/\` will be converted by the browser to `//` because ... well I do not fully understand. Certainly the RFCs and MDN do not indicate that this would be expected. Providing "compatibility" with the (mis)behaviour of a certain proprietary OS is my suspicion. However, we clearly have to protect against this. Therefore we should reject redirection locations that match the regular expression: `^/[\\\\/]+` Reference #9678 Signed-off-by: Andrew Thornton <art27@cantab.net> |
||
---|---|---|
.. | ||
access_log.go | ||
api.go | ||
api_org.go | ||
api_test.go | ||
auth.go | ||
captcha.go | ||
context.go | ||
csrf.go | ||
form.go | ||
org.go | ||
pagination.go | ||
permission.go | ||
private.go | ||
repo.go | ||
response.go | ||
xsrf.go | ||
xsrf_test.go |