Author: Jason A. Donenfeld <Jason@zx2c4.com>
ui-shared: Avoid new line injection into redirect header
ui-shared.c | 4 +++-
diff --git a/ui-shared.c b/ui-shared.c index 5b487342d7f09e0faca82cbdb195aa8ae076b6aa..21f581f07fbf98feba066796fd3d489dfd5efca7 100644 --- a/ui-shared.c +++ b/ui-shared.c @@ -709,7 +709,9 @@ void cgit_redirect(const char *url, bool permanent) { htmlf("Status: %d %s\n", permanent ? 301 : 302, permanent ? "Moved" : "Found"); - htmlf("Location: %s\n\n", url); + html("Location: "); + html_url_path(url); + html("\n\n"); exit(0); }