From 6c8ec4deda45b39eb12b9d24e6ef43ab4b7d827f Mon Sep 17 00:00:00 2001 From: cyal1 <33282478+cyal1@users.noreply.github.com> Date: Thu, 28 Mar 2024 23:05:09 +0800 Subject: [PATCH 1/3] fixed open redirect --- gin.go | 1 + 1 file changed, 1 insertion(+) diff --git a/gin.go b/gin.go index 1633fe13..69bf1673 100644 --- a/gin.go +++ b/gin.go @@ -699,6 +699,7 @@ func redirectTrailingSlash(c *Context) { p = prefix + "/" + req.URL.Path } req.URL.Path = p + "/" + p = regRemoveRepeatedChar.ReplaceAllString(p, "/") if length := len(p); length > 1 && p[length-1] == '/' { req.URL.Path = p[:length-1] } From 29db90e1fc90a8a4fe88c5bb78bb07c8a27c3281 Mon Sep 17 00:00:00 2001 From: cyal1 <33282478+cyal1@users.noreply.github.com> Date: Mon, 1 Apr 2024 14:50:18 +0800 Subject: [PATCH 2/3] fixed open redirect --- gin.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gin.go b/gin.go index 69bf1673..bcfc37c0 100644 --- a/gin.go +++ b/gin.go @@ -699,7 +699,7 @@ func redirectTrailingSlash(c *Context) { p = prefix + "/" + req.URL.Path } req.URL.Path = p + "/" - p = regRemoveRepeatedChar.ReplaceAllString(p, "/") + p = regexp.MustCompile("^/{2,}").ReplaceAllString(p, "/") if length := len(p); length > 1 && p[length-1] == '/' { req.URL.Path = p[:length-1] } From b7dd5120ef35e1ed60c497d770495aa3054e6ab1 Mon Sep 17 00:00:00 2001 From: cyal1 <33282478+cyal1@users.noreply.github.com> Date: Mon, 1 Apr 2024 14:52:28 +0800 Subject: [PATCH 3/3] add open redirect test case https://github.com/gin-gonic/gin/pull/3907 --- routes_test.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/routes_test.go b/routes_test.go index 73f393e7..43eb82e8 100644 --- a/routes_test.go +++ b/routes_test.go @@ -149,8 +149,13 @@ func TestRouteRedirectTrailingSlash(t *testing.T) { router.GET("/path2/", func(c *Context) {}) router.POST("/path3", func(c *Context) {}) router.PUT("/path4/", func(c *Context) {}) + router.GET("/:param1/:param2", func(c *Context) {}) - w := PerformRequest(router, http.MethodGet, "/path/") + w := PerformRequest(router, http.MethodGet, "//path/") + assert.Equal(t, "/path", w.Header().Get("Location")) + assert.Equal(t, http.StatusMovedPermanently, w.Code) + + w = PerformRequest(router, http.MethodGet, "/path/") assert.Equal(t, "/path", w.Header().Get("Location")) assert.Equal(t, http.StatusMovedPermanently, w.Code)