Fix insecure path handling in redirections.

Author: ioquatix

lib/utopia/redirection.rb

@@ -89,20 +89,26 @@ def cache_control
 				"max-age=#{self.max_age}"
 			end
 
-			def headers(location)
-				{HTTP::LOCATION => location, HTTP::CACHE_CONTROL => self.cache_control}
+			def make_headers(location)
+				{
+					HTTP::LOCATION => location,
+					HTTP::CACHE_CONTROL => self.cache_control
+				}
 			end
 
 			def redirect(location)
-				return [self.status, self.headers(location), []]
+				return [self.status, self.make_headers(location), []]
 			end
 
 			def [] path
 				false
 			end
 
 			def call(env)
-				path = env[Rack::PATH_INFO]
+				# Normalize the path to remove redundant slashes, `.` and `..` segments.
+				# This prevents protocol-relative redirect URLs (e.g. //evil.com/index)
+				# from being generated when PATH_INFO contains a double leading slash.
+				path = Path.create(env[Rack::PATH_INFO]).simplify.to_s
 
 				if redirection = self[path]
 					return redirection

releases.md

@@ -1,5 +1,9 @@
 # Releases
 
+## Unreleasd
+
+  - **Security** Fix handling of redirects that start with `//` to prevent open redirect vulnerabilities.
+
 ## v2.31.0
 
   - Add agent context.

test/utopia/redirection.rb

@@ -17,6 +17,15 @@
 		expect(last_response.headers["cache-control"]).to be(:include?, "max-age=86400")
 	end
 
+	it "should not allow open redirect via protocol-relative URL" do
+		get "//evil.com/"
+		
+		# Must not redirect to //evil.com/index (external host)
+		if last_response.status == 307
+			expect(last_response.headers["location"]).not.to start_with("//")
+		end
+	end
+	
 	it "should be permanently moved" do
 		get "/a"