JLSEC-2026-617

Description

The static file server's canonical 301 redirects (index-file strip, directory trailing-slash add, and file trailing-slash strip) built the Location header verbatim from the un-normalized request target. Request-target validation only requires a leading /, has no CTL bytes, and the .. check plus segment decoding drop empty segments, so a target like //evil.example/index.html or /\evil.example/ survived validation and produced a Location such as //evil.example/ — a scheme-relative network-path reference (RFC 3986 §4.2) that browsers resolve to a foreign authority.

Impact

A crafted request to the file server could produce a redirect to an attacker-controlled host (open redirect).

Patches

Fixed in HTTP.jl v2.4.0. A new _sanitize_redirect_location collapses any leading run of / or \ separators down to a single /, re-rooting the Location at the server's own origin so it can never carry an authority component (backslashes are treated as separators because browsers normalize \ to /). Every canonical-redirect branch routes its Location through the sanitizer; single-rooted local paths are unchanged.

Reported to the JuliaLang security team through Anthropic's Coordinated Vulnerability Disclosure program.