Skip to content

Commit

Permalink
Clarify that only a path should be passed
Browse files Browse the repository at this point in the history
  • Loading branch information
francislavoie authored Mar 5, 2024
1 parent c2e9254 commit 879bef4
Showing 1 changed file with 7 additions and 5 deletions.
12 changes: 7 additions & 5 deletions modules/caddyhttp/fileserver/staticfiles.go
Original file line number Diff line number Diff line change
Expand Up @@ -639,16 +639,18 @@ func calculateEtag(d os.FileInfo) string {
return `"` + t + s + `"`
}

func redirect(w http.ResponseWriter, r *http.Request, to string) error {
for strings.HasPrefix(to, "//") {
// redirect performs a redirect to a given path. The 'toPath' parameter
// MUST be solely a path, and MUST NOT include a query.
func redirect(w http.ResponseWriter, r *http.Request, toPath string) error {
for strings.HasPrefix(toPath, "//") {
// prevent path-based open redirects
to = strings.TrimPrefix(to, "/")
toPath = strings.TrimPrefix(toPath, "/")
}
// preserve the query string if present
if r.URL.RawQuery != "" {
to += "?" + r.URL.RawQuery
toPath += "?" + r.URL.RawQuery
}
http.Redirect(w, r, to, http.StatusPermanentRedirect)
http.Redirect(w, r, toPath, http.StatusPermanentRedirect)
return nil
}

Expand Down

0 comments on commit 879bef4

Please sign in to comment.