This problem is very similar to that one. https://huntr.dev/bounties/ffc61eff-efea-42c5-92c2-e043fdf904d5/ Can you provide some repair suggestions under the comment? If I need to enumerate various escape situations, maybe showdoc's reward will be consumed on the same kind of problems. This will lead to no one else to help me find other types of vulnerabilities

Hi @star7th,

Surely, I am glad to help you with the repair suggestions for this problem. Since I am not good at validation, but I think you can try this regex for validating the value of the redirect parameter: ![^A-Za-z0-9/:\?\._\*\+\-]+.*!.

Moreover, after you fix this problem, I can help you to retest the problem and if it is still vulnerable, I will put a comment here for you to improve it without submit a new report.

Just a reminder to mark a fix against this report, so that we can go ahead and publish the CVE! ♥️

@Chau Minh Khanh

I have released a version that fixes this problem. You can test it

Hi @star7th,

In your new version, I am still able to bypass your fix by using this payload: ///google.com/

You can check it via this PoC link: https://www.showdoc.com.cn/user/login?redirect=///google.com/

OK, I fixed this problem just now. You can try again

Hi @star7th,

Since you fixed the problem by filtering the dot, I can still bypass this by not using the dot with this payload: ///3627734862/

You can check it via this PoC link: https://www.showdoc.com.cn/user/login?redirect=///3627734862/

I've fixed the problem by filtering the ‘//’

Hi @star7th,

It looks like your newest fix is good, I have tried many test cases and no longer bypass. In the future, if I know any new bypass techniques, I will come back here and put a comment for you to fix it.

Nice to work with you. Now you can submit the fix against this report. Thank you!