net/http: Redirect only sanitizes relative but not absolute URIs #23961
Labels
FrozenDueToAge
NeedsDecision
Feedback is required from experts, contributors, and/or the community before a change can be made.
Milestone
What version of Go are you using (
go version
)?go version go1.10 linux/amd64
Does this issue reproduce with the latest release?
yes
What did you do?
Call http.Redirect with various URIs:
https://play.golang.org/p/Sjx3ktkGOSQ
What did you expect to see?
I expect the same uri sanitation happening on both relative and absolute redirects.
What did you see instead?
URIs for absolute Redirects are used as is, without any sanitation, while relative redirect uris
RFC 7231 (https://tools.ietf.org/html/rfc7231#section-7.1.2) does not seem to specify if the path contained in the Location header should be "clean".
The text was updated successfully, but these errors were encountered: