URL with line breaks are not properly managed

[Frenchcooc]

Version

3.5.3

Reproduction link

codesandbox.io

Steps to reproduce

From Codesandbox reproduction link:

1. Open Codesandbox
2. Click on "Click me"
3. The browser opens example.org

Locally:

1. Create a blank Vue app with vue-router
2. Add a link as follow: Click me
3. Specify a url with a line break such as :

/
/example.com

4. Click the link, your browser will open /example.com

What is expected?

It should trigger an error. Whether not a valid URL or not the same origin or redirect to /.
Or it should redirects to //example.com (removing line breaks)

What is actually happening?

The browser opens http://example.com

---

The bug was reported to us by a bug hunter.

One of our URL https://dashboard.mailmeteor.com/login?redirect=%2F was affected by the bug. If you share a URL to Mailmeteor having a line break in it, such as https://dashboard.mailmeteor.com/login?redirect=%2F%0D%0A%2Fexample.com, our application was redirecting to the distant domain. This has been fixed on our application by preventing redirection to URLs with multiple lines.

While looking at the source of this issue, turns out that vue-router codebase defaults to window.location.replace in case the history.replaceState methods triggers an error. See here:

vue-router/src/util/push-state.js

Line 40 in 677f3c1

window.location[replace ? 'replace' : 'assign'](url)

And window.location.replace(url) has a "bug" that when you provide a url with a line break, it redirects to the last line:

var url = `/
/example.org`
window.location.replace(url) // opens "example.org"

[Frenchcooc]

First bug report on this repo. Feel free to change the title of the issue and let me know if you need more details :)

[posva]

I pushed a fix for this particular case because it is so easy to get wrong in userland but note that redirecting to a user-provided URL can always present a security risk. The app is responsible for sanitizing it if it wants to display it somewhere