utils: disallow any redirect URL starting with /\ or \\ (#81522)
gitea/authentic/pipeline/head This commit looks good
Details
gitea/authentic/pipeline/head This commit looks good
Details
This commit is contained in:
parent
fb2f1152d8
commit
00f910546f
|
@ -1029,6 +1029,8 @@ def good_next_url(request, next_url):
|
|||
'''Check if an URL is a good next_url'''
|
||||
if not next_url:
|
||||
return False
|
||||
if next_url.startswith('/\\') or next_url.startswith('\\\\'):
|
||||
return False
|
||||
if next_url.startswith('/') and (len(next_url) == 1 or next_url[1] != '/'):
|
||||
return True
|
||||
if same_origin(request.build_absolute_uri(), next_url):
|
||||
|
|
|
@ -49,6 +49,10 @@ def test_good_next_url(db, rf, settings):
|
|||
assert not good_next_url(request, 'https://google.com/')
|
||||
assert not good_next_url(request, '')
|
||||
assert not good_next_url(request, None)
|
||||
assert not good_next_url(request, '/\\example.com/')
|
||||
assert not good_next_url(request, '/\\example.net/')
|
||||
assert not good_next_url(request, '\\\\example.com/')
|
||||
assert not good_next_url(request, '\\\\example.net/')
|
||||
|
||||
|
||||
def test_good_next_url_backends(rf, external_redirect):
|
||||
|
|
Loading…
Reference in New Issue