entrouvert
/
authentic
16
0
Fork 0
Code Issues Pull Requests 32 Releases Activity

utils: disallow any redirect URL starting with /\ or \\ (#81522)
gitea/authentic/pipeline/head This commit looks good Details

This commit is contained in:
Benjamin Dauvergne 2023-09-23 09:49:00 +02:00
parent fb2f1152d8
commit 00f910546f
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/authentic2/utils/misc.py
View File

@ -1029,6 +1029,8 @@ def good_next_url(request, next_url):
'''Check if an URL is a good next_url'''
if not next_url:
return False
if next_url.startswith('/\\') or next_url.startswith('\\\\'):
return False
if next_url.startswith('/') and (len(next_url) == 1 or next_url[1] != '/'):
return True
if same_origin(request.build_absolute_uri(), next_url):

4
tests/test_utils.py
View File

@ -49,6 +49,10 @@ def test_good_next_url(db, rf, settings):
assert not good_next_url(request, 'https://google.com/')
assert not good_next_url(request, '')
assert not good_next_url(request, None)
assert not good_next_url(request, '/\\example.com/')
assert not good_next_url(request, '/\\example.net/')
assert not good_next_url(request, '\\\\example.com/')
assert not good_next_url(request, '\\\\example.net/')
def test_good_next_url_backends(rf, external_redirect):