diff options
| author | Dan Fandrich <danf@mageia.org> | 2025-06-06 18:47:10 -0700 |
|---|---|---|
| committer | Dan Fandrich <danf@mageia.org> | 2025-06-06 18:47:10 -0700 |
| commit | 058146cfdea0ee115b29abd816aa0ba8004311e0 (patch) | |
| tree | fcf044e3ed99f651fec188eac253ab36599e180b /modules/viewvc/files/setcookieredirect.html | |
| parent | 6d0484586a22372b280125337f870353041f05f0 (diff) | |
| download | puppet-058146cfdea0ee115b29abd816aa0ba8004311e0.tar puppet-058146cfdea0ee115b29abd816aa0ba8004311e0.tar.gz puppet-058146cfdea0ee115b29abd816aa0ba8004311e0.tar.bz2 puppet-058146cfdea0ee115b29abd816aa0ba8004311e0.tar.xz puppet-058146cfdea0ee115b29abd816aa0ba8004311e0.zip | |
Properly escape the target in then anti-robot redirect
Any additional URL parameters after a & were previously dropped.
Diffstat (limited to 'modules/viewvc/files/setcookieredirect.html')
| -rw-r--r-- | modules/viewvc/files/setcookieredirect.html | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/modules/viewvc/files/setcookieredirect.html b/modules/viewvc/files/setcookieredirect.html index acb34af6..17322c18 100644 --- a/modules/viewvc/files/setcookieredirect.html +++ b/modules/viewvc/files/setcookieredirect.html @@ -10,9 +10,9 @@ }); let path = params.to; // Sanitize redirect path to avoid malicious arbitrary redirects - if (/^\/[-a-zA-Z0-9~_.?&=/+]*$/.test(path)) { + if (/^\/[-a-zA-Z0-9~_.?&=/+]*$/.test(decodeURI(path))) { const current = new URL(window.location.toLocaleString()); - window.location.href = current.origin + path; + window.location.href = current.origin + encodeURI(decodeURI(path)); } else { window.onload = function() { document.getElementById('error').innerHTML = 'Error! Bad redirect location!'; |