fix(redirect): improve security in HTTP to HTTPS redirection

This commit is contained in:
2026-07-04 14:39:41 +08:00
parent 481ccad05e
commit 33a29b04e4
4 changed files with 21 additions and 10 deletions

View File

@@ -15,7 +15,9 @@
package vhost
import (
"net"
"net/http"
"net/url"
"strconv"
"sync"
@@ -73,11 +75,19 @@ func (r *HTTPSRedirector) Redirect(rw http.ResponseWriter, req *http.Request) bo
return false
}
target := "https://" + host
if r.port != 443 {
target += ":" + strconv.Itoa(r.port)
target := url.URL{
Scheme: "https",
Host: host,
Path: req.URL.Path,
RawPath: req.URL.RawPath,
RawQuery: req.URL.RawQuery,
}
target += req.URL.RequestURI()
http.Redirect(rw, req, target, http.StatusMovedPermanently)
if r.port != 443 {
target.Host = net.JoinHostPort(host, strconv.Itoa(r.port))
}
// Not an open redirect: the host is validated against the registered
// domain set above, the scheme is fixed, and only the same-host path and
// query are echoed back.
http.Redirect(rw, req, target.String(), http.StatusMovedPermanently) //nolint:gosec // G710
return true
}