From c22614fad926e7737c7d75dc4e71a0988caddbd2 Mon Sep 17 00:00:00 2001 From: t0rchwo0d Date: Fri, 17 Feb 2023 12:46:00 +0900 Subject: [PATCH] Fix #3500 Add escape logic for header --- gin.go | 3 +++ routes_test.go | 4 ++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/gin.go b/gin.go index 32dae2497f..efb6de57f1 100644 --- a/gin.go +++ b/gin.go @@ -670,8 +670,11 @@ func redirectTrailingSlash(c *Context) { p := req.URL.Path if prefix := path.Clean(c.Request.Header.Get("X-Forwarded-Prefix")); prefix != "." { prefix = url.QueryEscape(prefix) + prefix = strings.ReplaceAll(prefix, ".", "") prefix = strings.ReplaceAll(prefix, "%2F", "/") + fmt.Println(prefix) + p = prefix + "/" + req.URL.Path } req.URL.Path = p + "/" diff --git a/routes_test.go b/routes_test.go index 5310caec25..55e1806766 100644 --- a/routes_test.go +++ b/routes_test.go @@ -186,11 +186,11 @@ func TestRouteRedirectTrailingSlash(t *testing.T) { assert.Equal(t, 200, w.Code) w = PerformRequest(router, http.MethodGet, "/path/", header{Key: "X-Forwarded-Prefix", Value: "../../bug#?"}) - assert.Equal(t, "../../../bug%2523%253F/path", w.Header().Get("Location")) + assert.Equal(t, "//bug%2523%253F//path", w.Header().Get("Location")) assert.Equal(t, 301, w.Code) w = PerformRequest(router, http.MethodGet, "/path/", header{Key: "X-Forwarded-Prefix", Value: "https://gin-gonic.com/#"}) - assert.Equal(t, "https%3A/gin-gonic.com/%23/https%253A/gin-gonic.com/%2523/path", w.Header().Get("Location")) + assert.Equal(t, "https%3A/gin-goniccom/%23/https%253A/gin-goniccom/%2523/path", w.Header().Get("Location")) assert.Equal(t, 301, w.Code) w = PerformRequest(router, http.MethodGet, "/path/", header{Key: "X-Forwarded-Prefix", Value: "#bug"})