From 6b901b1f32f25a72e2e992143769a65b8e0fca7b Mon Sep 17 00:00:00 2001
From: Jan Michael Auer <account@jauer.org>
Date: Fri, 15 Dec 2023 23:37:08 +0100
Subject: [PATCH] Reject redirects with invalid scheme (#2068)

---
 src/async_impl/client.rs |  4 ++++
 tests/redirect.rs        | 16 ++++++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/src/async_impl/client.rs b/src/async_impl/client.rs
index b6b515b89..e778021c8 100644
--- a/src/async_impl/client.rs
+++ b/src/async_impl/client.rs
@@ -2367,6 +2367,10 @@ impl Future for PendingRequest {
                         redirect::ActionKind::Follow => {
                             debug!("redirecting '{}' to '{}'", self.url, loc);
 
+                            if loc.scheme() != "http" && loc.scheme() != "https" {
+                                return Poll::Ready(Err(error::url_bad_scheme(loc)));
+                            }
+
                             if self.client.https_only && loc.scheme() != "https" {
                                 return Poll::Ready(Err(error::redirect(
                                     error::url_bad_scheme(loc.clone()),
diff --git a/tests/redirect.rs b/tests/redirect.rs
index 77ab29149..953bf5b04 100644
--- a/tests/redirect.rs
+++ b/tests/redirect.rs
@@ -286,6 +286,22 @@ async fn test_invalid_location_stops_redirect_gh484() {
     assert_eq!(res.status(), reqwest::StatusCode::FOUND);
 }
 
+#[tokio::test]
+async fn test_invalid_scheme_is_rejected() {
+    let server = server::http(move |_req| async move {
+        http::Response::builder()
+            .status(302)
+            .header("location", "htt://www.yikes.com/")
+            .body(Body::default())
+            .unwrap()
+    });
+
+    let url = format!("http://{}/yikes", server.addr());
+
+    let err = reqwest::get(&url).await.unwrap_err();
+    assert!(err.is_builder());
+}
+
 #[cfg(feature = "cookies")]
 #[tokio::test]
 async fn test_redirect_302_with_set_cookies() {