Also reject ASCII control chars in relative redirects

Tab/newline/CR are stripped by the WHATWG URL parser before parsing, so
/<TAB>/evil.test resolved to https://evil.test/ despite the backslash
check. Reject any ASCII control character. Adds regression cases.

Author: lovasoa

src/webserver/oidc.rs

@@ -1192,10 +1192,12 @@ impl AudienceVerifier {
 /// independent of the client. Browsers implementing the same standard (Chromium,
 /// Firefox, Safari) resolve a `Location: /\evil.test` the same way.
 pub(crate) fn is_safe_relative_redirect(uri: &str) -> bool {
-    // Reject any embedded backslash: the WHATWG URL parser used by SQLPage's
-    // `url` crate (and by browsers) treats `\` as `/`, so it can smuggle in an
-    // authority component.
-    if uri.contains('\\') {
+    // Reject backslashes and ASCII control characters. The WHATWG URL parser
+    // used by SQLPage's `url` crate (and by browsers) treats `\` as `/`, and it
+    // removes ASCII tab/newline/CR from anywhere in the input before parsing.
+    // Either can smuggle in an authority component: `/\evil.test` and
+    // `/\t/evil.test` both resolve to `https://evil.test/`.
+    if uri.contains('\\') || uri.contains(|c: char| c.is_ascii_control()) {
         return false;
     }
     let mut chars = uri.chars();
@@ -1242,6 +1244,12 @@ mod tests {
             "\\evil.test",
             "\\\\evil.test",
             "/foo\\bar",
+            // ASCII tab/newline/CR are stripped by the WHATWG URL parser, so
+            // these resolve to an authority (`//evil.test`) after stripping.
+            "/\t/evil.test",
+            "/\n/evil.test",
+            "/\r/evil.test",
+            "/\u{0000}/evil.test",
             "https://evil.test",
             "evil.test",
             "",