From 69ded69296b781e1c3f0c3dc9ad8e9df295075e0 Mon Sep 17 00:00:00 2001 From: Uxio Fuentefria <6909403+Uxio0@users.noreply.github.com> Date: Wed, 15 Apr 2026 16:53:17 +0200 Subject: [PATCH] Guard http_redirect_middleware against double prefix in Location header When the app is behind a proxy that already includes the forwarded prefix in generated Location URLs, naively prepending prefix produced doubled paths like /safe-decoder/safe-decoder/... . Only prepend prefix when the path does not already start with it. --- app/main.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/app/main.py b/app/main.py index a52d142..39e072a 100644 --- a/app/main.py +++ b/app/main.py @@ -1,3 +1,4 @@ +# SPDX-License-Identifier: FSL-1.1-MIT import asyncio import datetime import logging @@ -140,12 +141,17 @@ async def http_redirect_middleware(request: Request, call_next): host = request.headers.get("x-forwarded-host") protocol = request.headers.get("x-forwarded-proto") port = request.headers.get("x-forwarded-port") + new_path = ( + prefix + original_url.path + if not original_url.path.startswith(prefix) + else original_url.path + ) response.headers["location"] = str( original_url.replace( scheme=protocol, hostname=host, port=port, - path=prefix + original_url.path, + path=new_path, ) ) return response