From 058146cfdea0ee115b29abd816aa0ba8004311e0 Mon Sep 17 00:00:00 2001
From: Dan Fandrich <danf@mageia.org>
Date: Fri, 6 Jun 2025 18:47:10 -0700
Subject: Properly escape the target in then anti-robot redirect

Any additional URL parameters after a & were previously dropped.
---
 modules/viewvc/files/setcookieredirect.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'modules/viewvc/files/setcookieredirect.html')

diff --git a/modules/viewvc/files/setcookieredirect.html b/modules/viewvc/files/setcookieredirect.html
index acb34af6..17322c18 100644
--- a/modules/viewvc/files/setcookieredirect.html
+++ b/modules/viewvc/files/setcookieredirect.html
@@ -10,9 +10,9 @@
             });
             let path = params.to;
             // Sanitize redirect path to avoid malicious arbitrary redirects
-            if (/^\/[-a-zA-Z0-9~_.?&=/+]*$/.test(path)) {
+            if (/^\/[-a-zA-Z0-9~_.?&=/+]*$/.test(decodeURI(path))) {
                 const current = new URL(window.location.toLocaleString());
-                window.location.href = current.origin + path;
+                window.location.href = current.origin + encodeURI(decodeURI(path));
             } else {
                 window.onload = function() {
                     document.getElementById('error').innerHTML = 'Error! Bad redirect location!';
-- 
cgit v1.2.1