Possible security issue: //TARGET_URL/ results in 302 to target #72
Comments
|
one solution is to redirect using an absolute url with the origin instead of using just the pathname - throw redirect(url.pathname.slice(0, -1) + url.search);
+ throw redirect(url.origin + url.pathname.slice(0, -1) + url.search);https://github.com/remix-run/react-router-website/blob/main/app/modules/http-utils/remove-slashes.ts |
mcansh
added a commit
that referenced
this issue
Jul 26, 2023
closes #72 Signed-off-by: Logan McAnsh <logan@mcan.sh>
mcansh
added a commit
that referenced
this issue
Jul 26, 2023
closes #72 Signed-off-by: Logan McAnsh <logan@mcan.sh>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Example: https://reactrouter.com//google.com/
Expectation: 404
Actual: 302 redirects to google.com
This is bad because a malicious actor can send links that look like official reactrouter.com pages but the end users get silently redirected to a possible malicious site owned by the sender
I haven't dug too much into this yet but also see that it affects the main remix.run site too - https://remix.run//google.com/
The text was updated successfully, but these errors were encountered: