From 7317bfb2b3963212cb78a0125639aacfb7c1c928 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=EC=9C=A0=EC=B0=BD=EC=9A=B1?= Date: Sat, 20 Jun 2026 18:47:13 +0900 Subject: [PATCH] fix: reject protocol-relative and backslash URLs in safeUrl Address commit security review: the same-origin branch of safeUrl accepted //host and /\host, which browsers normalize to an external host (open redirect). Allow only true same-origin paths. --- web/operator-gui/app.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/web/operator-gui/app.js b/web/operator-gui/app.js index c4bef45..8751928 100644 --- a/web/operator-gui/app.js +++ b/web/operator-gui/app.js @@ -551,7 +551,11 @@ function safeUrl(value) { const url = String(value || "").trim(); - if (/^https?:\/\//i.test(url) || url.startsWith("/")) { + // Same-origin path, but reject protocol-relative ("//host") and backslash + // ("/\\host") forms that browsers normalize to an external host. + const isSameOriginPath = url.startsWith("/") && !url.startsWith("//") && !url.startsWith("/\\"); + + if (/^https?:\/\//i.test(url) || isSameOriginPath) { return url;