From 1f247cf8139cb483276cd8dd06385a800ce9d4b2 Mon Sep 17 00:00:00 2001
From: chromium1337 <CurseRed@Gmail.com>
Date: Mon, 6 Aug 2018 17:10:16 +0800
Subject: [PATCH] routes: fix open redirect vulnerability #5364 (#5365)

---
 routes/user/auth.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/routes/user/auth.go b/routes/user/auth.go
index 16e8bd2d7..76e51c366 100644
--- a/routes/user/auth.go
+++ b/routes/user/auth.go
@@ -73,10 +73,10 @@ func AutoLogin(c *context.Context) (bool, error) {
 }
 
 // isValidRedirect returns false if the URL does not redirect to same site.
-// False: //url, http://url
+// False: //url, http://url, /\url
 // True: /url
 func isValidRedirect(url string) bool {
-	return len(url) >= 2 && url[0] == '/' && url[1] != '/'
+	return len(url) >= 2 && url[0] == '/' && url[1] != '/' && url[1] != '\\'
 }
 
 func Login(c *context.Context) {