qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-19 14:54:43 -07:00
Code Releases Activity

http: don't Clean query string in relative redirects

Browse Source 
R=adg, rsc, kevlar, r
CC=golang-dev
https://golang.org/cl/4476045
This commit is contained in:
Brad Fitzpatrick 2011-05-11 04:30:05 -07:00
parent a03bfe7f69
commit b276293aba
2 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/pkg/http/serve_test.go
View File

@ -693,3 +693,20 @@ func TestTimeoutHandler(t *testing.T) {
t.Errorf("expected Write error of %v; got %v", e, g)
}
}
// Verifies we don't path.Clean() on the wrong parts in redirects.
func TestRedirectMunging(t *testing.T) {
req, _ := NewRequest("GET", "http://example.com/", nil)
resp := httptest.NewRecorder()
Redirect(resp, req, "/foo?next=http://bar.com/", 302)
if g, e := resp.Header().Get("Location"), "/foo?next=http://bar.com/"; g != e {
t.Errorf("Location header was %q; want %q", g, e)
}
resp = httptest.NewRecorder()
Redirect(resp, req, "http://localhost:8080/_ah/login?continue=http://localhost:8080/", 302)
if g, e := resp.Header().Get("Location"), "http://localhost:8080/_ah/login?continue=http://localhost:8080/"; g != e {
t.Errorf("Location header was %q; want %q", g, e)
}
}

6
src/pkg/http/server.go
View File

@ -581,12 +581,18 @@ func Redirect(w ResponseWriter, r *Request, url string, code int) {
url = olddir + url
}
var query string
if i := strings.Index(url, "?"); i != -1 {
url, query = url[:i], url[i:]
}
// clean up but preserve trailing slash
trailing := url[len(url)-1] == '/'
url = path.Clean(url)
if trailing && url[len(url)-1] != '/' {
url += "/"
}
url += query
}
}