if "\@" in url ，the redirect result doesn't match the host of the new url("")

Line 269 in 5f15941

this.set('Location', encodeUrl(url))

Developer often use new url("") host to verify the redirected url, but here the encodeurl will cause the host verification to fail, thus creating a URL hopping vulnerability

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

if "\@" in url ，the redirect result doesn't match the host of the new url("") #1800

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

if "\@" in url ，the redirect result doesn't match the host of the new url("") #1800

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions