Description

Although https://github.com/go-gitea/gitea/pull/9678 protects against most open redirects there is an unfortunate flaw in its logic due to browser behaviour when presented with Locations that have backslashes in them

Proof of Concept

https://try.gitea.io/user/login?redirect_to=/\/\/\/\/\/\/\/\/\/\/\/\/\/\thedailywtf.com 

Following a succesful login using this url, a redirect will be sent back to the browser with the Location header equal to: /\/\/\/\/\/\/\/\/\/\/\/\/\/\thedailywtf.com . This will be interpreted by the browser as a redirect to //thedailywtf.com.

Impact

This vulnerability constitutes an open redirect:

• Users may be redirected to an untrusted page that contains malware which may then compromise the user’s machine. This will expose the user to extensive risk and the user’s interaction with the web server may also be compromised if the malware conducts keylogging or other attacks that steal credentials, personally identifiable information (PII), or other important data.
• Users may be subjected to phishing attacks by being redirected to an untrusted page. The phishing attack may point to an attacker controlled web page that appears to be a trusted web site. The phishers may then steal the user’s credentials and then use these credentials to access the legitimate web site.

Mitigation

This vulnerability will be mitigated with:

https://github.com/go-gitea/gitea/pull/19175