fix(security): reject CRLF and normalize URLs in TurboHttpResponse.Redirect()

st0o0 · st0o0 · commit 74c95f5711f8 · 2026-05-19T16:00:26.000+02:00
diff --git a/src/TurboHTTP/Server/Context/TurboHttpResponse.cs b/src/TurboHTTP/Server/Context/TurboHttpResponse.cs
@@ -74,14 +74,22 @@ public override void Redirect(string location, bool permanent = false)
     {
         ArgumentNullException.ThrowIfNull(location);
 
-        if (!location.StartsWith('/') &&
-            Uri.TryCreate(location, UriKind.Absolute, out var uri) &&
-            uri.Scheme is not ("http" or "https"))
+        if (location.AsSpan().ContainsAny('\r', '\n'))
+        {
+            throw new ArgumentException("Redirect location must not contain CR or LF characters.", nameof(location));
+        }
+
+        if (!Uri.TryCreate(location, UriKind.RelativeOrAbsolute, out var parsed))
+        {
+            throw new ArgumentException("Redirect location is not a valid URI.", nameof(location));
+        }
+
+        if (parsed.IsAbsoluteUri && parsed.Scheme is not ("http" or "https"))
         {
             throw new ArgumentException("Redirect location must be a relative path or an HTTP/HTTPS URL.", nameof(location));
         }
 
         StatusCode = permanent ? 301 : 302;
-        Headers["Location"] = location;
+        Headers["Location"] = parsed.IsAbsoluteUri ? parsed.AbsoluteUri : location;
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -74,14 +74,22 @@ public override void Redirect(string location, bool permanent = false)`
`74`	`74`	`{`
`75`	`75`	`ArgumentNullException.ThrowIfNull(location);`
`76`	`76`
`77`		`- if (!location.StartsWith('/') &&`
`78`		`- Uri.TryCreate(location, UriKind.Absolute, out var uri) &&`
`79`		`- uri.Scheme is not ("http" or "https"))`
	`77`	`+ if (location.AsSpan().ContainsAny('\r', '\n'))`
	`78`	`+ {`
	`79`	`+ throw new ArgumentException("Redirect location must not contain CR or LF characters.", nameof(location));`
	`80`	`+ }`
	`81`	`+`
	`82`	`+ if (!Uri.TryCreate(location, UriKind.RelativeOrAbsolute, out var parsed))`
	`83`	`+ {`
	`84`	`+ throw new ArgumentException("Redirect location is not a valid URI.", nameof(location));`
	`85`	`+ }`
	`86`	`+`
	`87`	`+ if (parsed.IsAbsoluteUri && parsed.Scheme is not ("http" or "https"))`
`80`	`88`	`{`
`81`	`89`	`throw new ArgumentException("Redirect location must be a relative path or an HTTP/HTTPS URL.", nameof(location));`
`82`	`90`	`}`
`83`	`91`
`84`	`92`	`StatusCode = permanent ? 301 : 302;`
`85`		`- Headers["Location"] = location;`
	`93`	`+ Headers["Location"] = parsed.IsAbsoluteUri ? parsed.AbsoluteUri : location;`
`86`	`94`	`}`
`87`	`95`	`}`