Trailing slash middleware open redirect

[GeoffreyFrogeye]

Issue Description

When using middleware.AddTrailingSlashWithConfig (resp middleware.RemoveTrailingSlashWithConfig) with a RedirectCode configured, it is possible to create open redirects with addresses like this one: http://my_echo_app.com/%5Cevil_website_com (resp http://my_echo_app.com/%5Cevil_website_com/).

Checklist

• Dependencies installed
• No typos
• Searched existing issues and docs

Steps to reproduce

• Compile example code and run
• Open http://localhost:1323/%5Cexample.com

Expected behaviour

Obtain a 404 error, or anything as long as I stay on localhost:1232.

Actual behaviour

Being redirected to example.com.

Working code to debug

package main

import (
	"net/http"
	"github.com/labstack/echo/v4"
	"github.com/labstack/echo/v4/middleware"
)

func main() {
	e := echo.New()

	e.Use(middleware.AddTrailingSlashWithConfig(middleware.TrailingSlashConfig{
		RedirectCode: http.StatusMovedPermanently,
	}))

	e.Logger.Fatal(e.Start(":1323"))
}

This is basically the Full Go Example stripped down with the Custom Configuration example of the documentation on the Trailing Slash Middleware.

This also works with RemoveTrailingSlashWithConfig and the link http://localhost:1323/%5Cexample.com/.

Version/commit

Whatever is fetched by go get github.com/labstack/echo/v4 today (sorry, not super familiar with Go).

[aldas]

Seems that /\ is interpreted by browsers as // or \\ which is absolute uri https://stackoverflow.com/a/4661857/2514290

This is what Location header is:

curl -v http://localhost:1323/%5Cexample.com
*   Trying 127.0.0.1:1323...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 1323 (#0)
> GET /%5Cexample.com HTTP/1.1
> Host: localhost:1323
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: /\example.com/
< Date: Thu, 11 Feb 2021 09:33:31 GMT
< Content-Length: 0
< 
* Connection #0 to host localhost left intact