New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
redirect to another domain #2515
Comments
How do we reproduce this? If I go to, for example, https://kit.svelte.dev//https://google.com/ I get a 404, as expected. Does this only happen in dev mode? |
Reproducible in dev mode. Tried setting |
Added the "vite" label - I also removed the "1.0" milestone, since this appears to be a dev-only issue. |
Should I tell them about this problem or have they already been informed? |
Can easily reproduce with a new Svelte-Kit skeleton app, but I've tried multiple ways to reproduce this with a BTW, two findings from my repro attempts might be useful.
|
I was just about to refer to open an issue in Vite as I'm able to reproduce this in a normal Vite app. SvelteKit uses the Vite dev server under-the-hood so I think the core fix is in Vite. I've also check Vite's issue tracker and there doesn't seem to be an existing one. |
@bluwy If you can reproduce this in a Vite app without Svelte-Kit involved, then ignore my comment, because the fact that you can reproduce it in a normal Vite app means that it's not a Svelte-Kit issue. I have had to move on to working on something else and probably won't be able to revisit this issue, so don't let my comment stop you from reporting this since you have a repro to show. |
@bluwy Did you ever open that Vite issue? I've looked for it but I don't see it. If you haven't had time, I'd be willing to open the issue but I haven't managed to reproduce this in Vite the way you have. If you can post a link to your repro repo, I'd be willing to open the issue in https://github.com/vitejs/vite/issues for you. |
Ah my bad. This issue had slipped my mind. I think you were right with your comment, where the bug happens differently in Vite and SvelteKit as I can't reproduce the URL provided by OP in a Vite app. Feel free to open an issue in Vite though, I currently don't have a repro at hand. |
This appears to have been fixed by #2683. With Vite 2.6.11 in place I can no longer reproduce this bug. Instead I get a 403 Restricted error saying "The request url "/https:/google.com/" is outside of Vite serving allow list". Downgrading to Vite 2.6.10 lets me reproduce the bug again, but bringing Vite 2.6.11 back fixes the issue. So I think this can be closed now as a fix has been released. |
Nice. Thanks for checking this again @rmunn! |
http://localhost:3000//https://www.google.com/ still redirects on skeleton app both dev and preview |
I can reproduce this as well, using |
I can't reproduce it as of |
I can still reproduce in the latest version ( |
I'm using |
Your dependencies are a bit (very) out of date, try upgrading to: "@sveltejs/adapter-node": "^1.2.0",
"@sveltejs/kit": "^1.5.0",
"svelte": "^3.54.0",
"vite": "^4.0.0" Note that you will have to do the migration to use the new SvelteKit version. Edit: missed the part that you can't upgrade, apologies :( |
Describe the bug
the link leads to someone else's site
http://localhost:3000//https://google.com/
can be used by hackers
Reproduction
found on all versions of sveltekit. Redirect to another site, can be used by hackers
Logs
No response
System Info
Severity
blocking all usage of SvelteKit
Additional Information
No response
The text was updated successfully, but these errors were encountered: