[Security:medium] open redirection due to incorrect escape handling in URI userinfo
Concerned version
Version: 2.16.2
Summary
- Browse to http://auth.example.com/?url=aHR0cHM6Ly9oYWNrZXIuY29tXEBAdGVzdDEuZXhhbXBsZS5jb20v (https://hacker.com@@test1.example.com/)
- LLNG detects it as test1.example.com, which is allowed, and sends redirect
- For some reason, browsers "correct" it to https://hacker.com/@@test1.example.com/
Possible fixes
We should normalize the received URL before using it in redirects:
my $u = URI->new('https://hacker.com\@@test1.example.com/');
print $u; # https://hacker.com%5C@@test1.example.com