if "\@" in url ，the redirect result doesn't match the host of the new URL()

koajs / koa

Expressive middleware for node.js using ES2017 async functions

https://koajs.com

MIT License

35.07k stars 3.22k forks source link

if "\@" in url ，the redirect result doesn't match the host of the new URL() #1800

Closed FDrag0n closed 5 months ago

FDrag0n commented 7 months ago

https://github.com/koajs/koa/blob/5f159415e58c42b54cb0703d7cfb10870d33d65f/lib/response.js#L269

Developer often use new URL() host to verify the redirected url, but here the encodeurl will cause the host verification to fail, thus creating a URL hopping vulnerability

FDrag0n commented 7 months ago

FDrag0n commented 5 months ago

Great fix fit, thanks!