Unverified Commit 6eeded0f by Julien Pivotto Committed by GitHub

Merge pull request from GHSA-vx57-7f4q-fpc7

* Do not remove /new because it is not part of the route parameter (CVE-2021-29622)
Signed-off-by: 's avatarJulien Pivotto <roidelapluie@inuits.eu>

* Release 2.26.1
Signed-off-by: 's avatarJulien Pivotto <roidelapluie@inuits.eu>
parent 3cafc588
## 2.26.1 / 2021-05-18
This release contains a bug fix for a security issue in the API endpoint. An
attacker can craft a special URL that redirects a user to any endpoint via an
HTTP 302 response. See the [security advisory][GHSA-vx57-7f4q-fpc7] for more details.
This vulnerability has been reported by Aaron Devaney from MDSec.
* [BUGFIX] SECURITY: Fix arbitrary redirects under the /new endpoint (CVE-2021-29622)
## 2.26.0 / 2021-03-31
Prometheus is now built and supporting Go 1.16 (#8544). This reverts the memory release pattern added in Go 1.12. This makes common RSS usage metrics showing more accurate number for actual memory used by Prometheus. You can read more details [here](https://www.bwplotka.dev/2019/golang-memory-monitoring/).
......@@ -354,7 +354,7 @@ func New(logger log.Logger, o *Options) *Handler {
// Redirect the original React UI's path (under "/new") to its new path at the root.
router.Get("/new/*path", func(w http.ResponseWriter, r *http.Request) {
p := route.Param(r.Context(), "path")
http.Redirect(w, r, path.Join(o.ExternalURL.Path, strings.TrimPrefix(p, "/new"))+"?"+r.URL.RawQuery, http.StatusFound)
http.Redirect(w, r, path.Join(o.ExternalURL.Path, p)+"?"+r.URL.RawQuery, http.StatusFound)
router.Get("/classic/alerts", readyf(h.alerts))
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment