From fe989bab602aa54e49108d70444378e205815586 Mon Sep 17 00:00:00 2001 From: pixel Date: Mon, 27 Feb 2023 01:35:39 +0100 Subject: [PATCH] HTTP redirect everything with `.` and without `:` It's actually better than what we had before, let's look at some example hosts: 1. chrissx.de 2. alditalk-kundenbetrug.de 3. 78.47.163.103 4. [2a01:4f8:c0c:69c8::1] 5. zerm.eu:80 6. chrissx.eu.evil.com 7. evil.com 8. localhost 1-4 should be redirected to the same host, 5 with either a changed or removed port, 6-8 should get the client killed. 1 and 2 are the most important ones for normal users, 3-5 might occur, and, again, 6-8 are insane. With the old algorithm, only 1 and 8 were handled correctly, 2 was just missing from the code, 3 and 4 are IPs and just can't be recognized, 5 shows the one major flaw because it redirects to a non-existent HTTPS server at port 80, 6 and 7 get upgraded unnecessarily. With the new algorithm, 1-3 and 8 are handled correctly, 4 and 5 don't get redirected, 6 and 7 get upgraded unnecessarily. --- redirector.go | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/redirector.go b/redirector.go index 4150927..3f17b3c 100644 --- a/redirector.go +++ b/redirector.go @@ -31,18 +31,10 @@ func main() { http.Handle("/metrics", promhttp.Handler()) http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { - log.Printf("Got a %s request from %s: %s (%s)", + log.Printf("%s request from %s: %s (%s)", r.Proto, r.RemoteAddr, r.URL, r.Host) totalReqs.WithLabelValues().Inc() - // this matches urls like chrissx.de.evil.com, but - // there are no ways to exploit that (except if there - // are other misdesigns) - if strings.Contains(r.Host, "chrissx.de") || - strings.Contains(r.Host, "chrissx.eu") || - strings.Contains(r.Host, "zerm.eu") || - strings.Contains(r.Host, "zerm.link") || - strings.Contains(r.Host, "fuxgames.com") || - strings.Contains(r.Host, "lowlevelmusic.com") { + if strings.Contains(r.Host, ".") && !strings.Contains(r.Host, ":") { var url = url.URL{} url.Host = r.Host url.Scheme = "https"