Hello developer, I noticed at https://github.com/decred/dcrdata/blob/master/cmd/dcrdata/internal/explorer/explorermiddleware.go#L313 that user input is accepted and redirected here.
Although the code strives to ensure that the redirect address is a relative address using URL.EscapedPath(), it's worth noting that this code logic can still be bypassed by attackers. For a URL like http://a.com//fushuling.com, the parsed EscapedPath would be //fushuling.com.
package main
import (
"fmt"
"net/url"
)
func main() {
redirectURI := "http://a.com//fushuling.com"
URL, _ := url.Parse(redirectURI)
fmt.Println(URL.EscapedPath())
}
In the actual redirection process, URLs like //fushuling.com will have their HTTP headers automatically completed, thus redirecting to an external address.
Hello developer, I noticed at https://github.com/decred/dcrdata/blob/master/cmd/dcrdata/internal/explorer/explorermiddleware.go#L313 that user input is accepted and redirected here.
Although the code strives to ensure that the redirect address is a relative address using
URL.EscapedPath(), it's worth noting that this code logic can still be bypassed by attackers. For a URL likehttp://a.com//fushuling.com, the parsed EscapedPath would be//fushuling.com.In the actual redirection process, URLs like
//fushuling.comwill have their HTTP headers automatically completed, thus redirecting to an external address.