From 23543c1ad14fc5f11e50a45a6f2f0646811b9e9e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phan=20Kochen?= <git@stephank.nl>
Date: Fri, 23 Dec 2022 14:56:26 +0100
Subject: [PATCH] Add open redirect issue in hyper-staticfile (#1499)

---
 crates/hyper-staticfile/RUSTSEC-0000-0000.md | 24 ++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 crates/hyper-staticfile/RUSTSEC-0000-0000.md

diff --git a/crates/hyper-staticfile/RUSTSEC-0000-0000.md b/crates/hyper-staticfile/RUSTSEC-0000-0000.md
new file mode 100644
index 0000000..bf326f0
--- /dev/null
+++ b/crates/hyper-staticfile/RUSTSEC-0000-0000.md
@@ -0,0 +1,24 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "hyper-staticfile"
+date = "2022-12-23"
+url = "https://github.com/stephank/hyper-staticfile/commit/f12cadc6666c6f555d29725f5bc45da2103f24ea"
+categories = ["format-injection"]
+keywords = ["open redirect", "http"]
+
+[versions]
+patched = ["^0.9.4", ">= 0.10.0-alpha.5"]
+```
+
+# Location header incorporates user input, allowing open redirect
+
+When `hyper-staticfile` performs a redirect for a directory request (e.g. a
+request for `/dir` that redirects to `/dir/`), the `Location` header value was
+derived from user input (the request path), simply appending a slash. The
+intent was to perform an origin-relative redirect, but specific inputs
+allowed performing a scheme-relative redirect instead.
+
+An attacker could craft a special URL that would appear to be for the correct
+domain, but immediately redirects to a malicious domain. Such a URL can benefit
+phishing attacks, for example an innocent looking link in an email.