From 255d820b83d64c0eefefa6a30a8929c437416651 Mon Sep 17 00:00:00 2001
From: Francis Lavoie <lavofr@gmail.com>
Date: Tue, 5 Mar 2024 18:19:46 -0500
Subject: [PATCH] Clarify that only a path should be passed

---
 modules/caddyhttp/fileserver/staticfiles.go | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/modules/caddyhttp/fileserver/staticfiles.go b/modules/caddyhttp/fileserver/staticfiles.go
index e32a726fa8aa..57d1bc85180d 100644
--- a/modules/caddyhttp/fileserver/staticfiles.go
+++ b/modules/caddyhttp/fileserver/staticfiles.go
@@ -639,16 +639,18 @@ func calculateEtag(d os.FileInfo) string {
 	return `"` + t + s + `"`
 }
 
-func redirect(w http.ResponseWriter, r *http.Request, to string) error {
-	for strings.HasPrefix(to, "//") {
+// redirect performs a redirect to a given path. The 'toPath' parameter
+// MUST be solely a path, and MUST NOT include a query.
+func redirect(w http.ResponseWriter, r *http.Request, toPath string) error {
+	for strings.HasPrefix(toPath, "//") {
 		// prevent path-based open redirects
-		to = strings.TrimPrefix(to, "/")
+		toPath = strings.TrimPrefix(toPath, "/")
 	}
 	// preserve the query string if present
 	if r.URL.RawQuery != "" {
-		to += "?" + r.URL.RawQuery
+		toPath += "?" + r.URL.RawQuery
 	}
-	http.Redirect(w, r, to, http.StatusPermanentRedirect)
+	http.Redirect(w, r, toPath, http.StatusPermanentRedirect)
 	return nil
 }