From b5842308892e0c4f9e772a42d5826f6f62f57be3 Mon Sep 17 00:00:00 2001
From: Roland Shoemaker <roland@golang.org>
Date: Mon, 26 Apr 2021 20:10:56 -0700
Subject: [PATCH] net/http: use relative path in Location redirect

If the cleaned path did not match the requested path, ServeMux.Handler
would return a Location header which reflected the hostname in the
request, possibly leading to an incorrect redirect. Instead the
Location header should be relative, like the other cases in
ServeMux.Handler.

Change-Id: I2c220d925e708061bc128f0bdc96cca7a32764d3
Reviewed-on: https://go-review.googlesource.com/c/go/+/313950
Trust: Roland Shoemaker <roland@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
---
 src/net/http/serve_test.go | 17 +++++++++++++++++
 src/net/http/server.go     |  5 ++---
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
index f8687416fe..a9714682c7 100644
--- a/src/net/http/serve_test.go
+++ b/src/net/http/serve_test.go
@@ -6507,3 +6507,20 @@ func TestDisableKeepAliveUpgrade(t *testing.T) {
 		t.Fatalf("unexpected value read from body:\ngot: %q\nwant: %q", b, "hello")
 	}
 }
+
+func TestMuxRedirectRelative(t *testing.T) {
+	setParallel(t)
+	req, err := ReadRequest(bufio.NewReader(strings.NewReader("GET http://example.com HTTP/1.1\r\nHost: test\r\n\r\n")))
+	if err != nil {
+		t.Errorf("%s", err)
+	}
+	mux := NewServeMux()
+	resp := httptest.NewRecorder()
+	mux.ServeHTTP(resp, req)
+	if got, want := resp.Header().Get("Location"), "/"; got != want {
+		t.Errorf("Location header expected %q; got %q", want, got)
+	}
+	if got, want := resp.Code, StatusMovedPermanently; got != want {
+		t.Errorf("Expected response code %d; got %d", want, got)
+	}
+}
diff --git a/src/net/http/server.go b/src/net/http/server.go
index e52a78e652..4e73508973 100644
--- a/src/net/http/server.go
+++ b/src/net/http/server.go
@@ -2404,9 +2404,8 @@ func (mux *ServeMux) Handler(r *Request) (h Handler, pattern string) {
 
 	if path != r.URL.Path {
 		_, pattern = mux.handler(host, path)
-		url := *r.URL
-		url.Path = path
-		return RedirectHandler(url.String(), StatusMovedPermanently), pattern
+		u := &url.URL{Path: path, RawQuery: r.URL.RawQuery}
+		return RedirectHandler(u.String(), StatusMovedPermanently), pattern
 	}
 
 	return mux.handler(host, r.URL.Path)
-- 
2.50.0