search

gin-gonic / gin

Gin is a HTTP web framework written in Go (Golang). It features a Martini-like API with much better performance -- up to 40 times faster. If you need smashing performance, get yourself some Gin.
https://gin-gonic.com/
MIT License
77.95k stars 7.97k forks source link

[Bug] infinite redirect with RedirectFixedPath #4034

Open ALX99 opened 3 weeks ago

ALX99 commented 3 weeks ago

Description

Enabling RedirectFixedPath sometimes leads to infinite redirects

How to reproduce

package main

import (
    "github.com/gin-gonic/gin"
)

func main() {
    r := gin.Default()

    r.GET("/あ", func(c *gin.Context) {
        c.JSON(200, gin.H{})
    })

    r.UnescapePathValues = false
    r.UseRawPath = true
    r.RedirectFixedPath = true
    r.Run(":8181")
}

Expectations

$ curl 'localhost:8181/%E3%81%82' -L
{}
$ curl 'localhost:8181/%e3%81%82' -L
{}
$ curl 'localhost:8181/あ' -L
{}

Actual result

$ curl 'localhost:8181/%E3%81%82' -L
{}
$ curl 'localhost:8181/%e3%81%82' -L
curl: (47) Maximum (50) redirects followed
$ curl 'localhost:8181/あ' -L
curl: (47) Maximum (50) redirects followed

Environment

go version: 1.23.0 gin version (or commit ref): v1.10.0 operating system: macOS Sequoia

JimChenWYU commented 3 weeks ago

image image

Using /あ for comparison, but using /%e3%81%82 when redirecting, so it causes an infinite loop.

image

If using EscapedPath for comparison, responsing 404 not found

maybe we use req.URL.Path for redirecting, not useing req.URL.String().

JimChenWYU commented 3 weeks ago

image image

Using /あ for comparison, but using /%e3%81%82 when redirecting, so it causes an infinite loop.

image

If using EscapedPath for comparison, responsing 404 not found

maybe we use req.URL.Path for redirecting, not useing req.URL.String().

image

ohhh... when it set Location header, it will escape url.