Open redirect in the HTTP.jl static file server canonical redirects
Description
The static file server's canonical 301 redirects (index-file strip, directory trailing-slash add, and file trailing-slash strip) built the Location header verbatim from the un-normalized request target. Request-target validation only requires a leading /, has no CTL bytes, and the .. check plus segment decoding drop empty segments, so a target like //evil.example/index.html or /\evil.example/ survived validation and produced a Location such as //evil.example/ — a scheme-relative network-path reference (RFC 3986 §4.2) that browsers resolve to a foreign authority.
Impact
A crafted request to the file server could produce a redirect to an attacker-controlled host (open redirect).
Patches
Fixed in HTTP.jl v2.4.0. A new _sanitize_redirect_location collapses any leading run of / or \` separators down to a single/, re-rooting theLocationat the server's own origin so it can never carry an authority component (backslashes are treated as separators because browsers normalize` to /). Every canonical-redirect branch routes its Location through the sanitizer; single-rooted local paths are unchanged.
Reported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.