I have a vue application initiated with Vue-cli.
Vue version: 2.6.11
vue-router version: 3.2.0
Reproduction Link
https://github.com/keyhangholami/dom-based-open-redirect
Steps to reproduce
Put 3 or more forwarding slashes in the URL + an arbitrary URL and a date formatted with slashes (eg http://www.localhost:3000///google.com?dob=11/10/1987 and hit Enter
.
Expected behaviour
See the 404 page when the URL is invalid (includes 3 or more than 3 slashes + date like that).
What's actually happening?
The app gets redirected to Google (or any arbitrary URL) including all query params even though I don't have any redirect rule and I have the following route to redirect to 404:
{ path: '*', name: '404-page', component: Page404, props: false }
I had this same issue. I updated to:
vue 2.6.14
vue-router 3.5.3
vue-template-compiler 2.6.14
and that solved the issue.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.