-
Notifications
You must be signed in to change notification settings - Fork 33
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible security issue: //TARGET_URL/ results in 302 to target #72
Comments
one solution is to redirect using an absolute url with the origin instead of using just the pathname - throw redirect(url.pathname.slice(0, -1) + url.search);
+ throw redirect(url.origin + url.pathname.slice(0, -1) + url.search); |
mcansh
added a commit
that referenced
this issue
Jul 26, 2023
closes #72 Signed-off-by: Logan McAnsh <[email protected]>
mcansh
added a commit
that referenced
this issue
Jul 26, 2023
closes #72 Signed-off-by: Logan McAnsh <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Example: https://reactrouter.com//google.com/
Expectation: 404
Actual: 302 redirects to google.com
This is bad because a malicious actor can send links that look like official reactrouter.com pages but the end users get silently redirected to a possible malicious site owned by the sender
I haven't dug too much into this yet but also see that it affects the main remix.run site too - https://remix.run//google.com/
The text was updated successfully, but these errors were encountered: