backoffice: check back value of lookup form (#88247)

2024-03-15 20:16:59 +01:00 · 2024-03-15 20:16:59 +01:00 · 2399c72d27
parent 75030a2bd7
commit 2399c72d27
2 changed files with 11 additions and 1 deletions
--- a/tests/backoffice_pages/test_all.py
+++ b/tests/backoffice_pages/test_all.py
@ -3889,6 +3889,13 @@ def test_formdata_lookup(pub):
        resp = resp.follow()
        assert 'No such tracking code or identifier.' in resp.text

+    # check it's not possible to replace back value with anything else
+    for invalid_value in ('http://example.invalid/', 'xxx'):
+        resp = app.get('/backoffice/management/listing')
+        resp.forms[0]['back'] = invalid_value
+        resp = resp.forms[0].submit()
+        assert resp.location == 'http://example.net/backoffice/management/'
+

 def test_backoffice_sidebar_user_context(pub):
    user = create_user(pub)
--- a/wcs/backoffice/management.py
+++ b/wcs/backoffice/management.py
@ -298,7 +298,10 @@ class ManagementDirectory(Directory):
            get_session().message = None
            return redirect(formdata.get_url(backoffice=True))

-        return redirect(get_request().form.get('back') or '.')
+        back_place = get_request().form.get('back')
+        if back_place not in ('listing', 'forms'):
+            back_place = '.'  # auto
+        return redirect(back_place)

    def get_lookup_sidebox(self, back_place=''):
        r = TemplateIO(html=True)