From 6eeded0fdf760e81af75d9c44ce539ab77da4505 Mon Sep 17 00:00:00 2001
From: Julien Pivotto <roidelapluie@inuits.eu>
Date: Tue, 18 May 2021 14:47:45 +0200
Subject: [PATCH] Merge pull request from GHSA-vx57-7f4q-fpc7

* Do not remove /new because it is not part of the route parameter (CVE-2021-29622)

Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu>

* Release 2.26.1

Signed-off-by: Julien Pivotto <roidelapluie@inuits.eu>
---
 CHANGELOG.md | 12 ++++++++++++
 VERSION      |  2 +-
 web/web.go   |  2 +-
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 00c3a81832..63146a5f6f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,15 @@
+## 2.26.1 / 2021-05-18
+
+This release contains a bug fix for a security issue in the API endpoint. An
+attacker can craft a special URL that redirects a user to any endpoint via an
+HTTP 302 response. See the [security advisory][GHSA-vx57-7f4q-fpc7] for more details.
+
+[GHSA-vx57-7f4q-fpc7]:https://github.com/prometheus/prometheus/security/advisories/GHSA-vx57-7f4q-fpc7
+
+This vulnerability has been reported by Aaron Devaney from MDSec.
+
+* [BUGFIX] SECURITY: Fix arbitrary redirects under the /new endpoint (CVE-2021-29622)
+
 ## 2.26.0 / 2021-03-31
 
 Prometheus is now built and supporting Go 1.16 (#8544). This reverts the memory release pattern added in Go 1.12. This makes common RSS usage metrics showing more accurate number for actual memory used by Prometheus. You can read more details [here](https://www.bwplotka.dev/2019/golang-memory-monitoring/).
diff --git a/VERSION b/VERSION
index 7a25c70f90..f34083e034 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.26.0
+2.26.1
diff --git a/web/web.go b/web/web.go
index bdc5c44e5c..374627a9e3 100644
--- a/web/web.go
+++ b/web/web.go
@@ -354,7 +354,7 @@ func New(logger log.Logger, o *Options) *Handler {
 	// Redirect the original React UI's path (under "/new") to its new path at the root.
 	router.Get("/new/*path", func(w http.ResponseWriter, r *http.Request) {
 		p := route.Param(r.Context(), "path")
-		http.Redirect(w, r, path.Join(o.ExternalURL.Path, strings.TrimPrefix(p, "/new"))+"?"+r.URL.RawQuery, http.StatusFound)
+		http.Redirect(w, r, path.Join(o.ExternalURL.Path, p)+"?"+r.URL.RawQuery, http.StatusFound)
 	})
 
 	router.Get("/classic/alerts", readyf(h.alerts))