dinislage/web2py
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1382 from apa-1/master

Browse Source 
Fix next redirect if only one / exists
This commit is contained in:
mdipierro
2016-07-01 02:00:58 -05:00
committed by GitHub
parent 229da5847b f87c3e260c
commit 409cfda1f6
1 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
gluon/tools.py
+7 -5
View File
@@ -1918,11 +1918,13 @@ class Auth(object):
if isinstance(next, (list, tuple)):
next = next[0]
if next and self.settings.prevent_open_redirect_attacks:
# Prevent an attacker from adding an arbitrary url after the
# _next variable in the request.
items = next.split('/')
if '//' in next and items[2] != current.request.env.http_host:
next = None
# Prevent an attacker from adding an arbitrary url after the _next variable in the request.
# Browsers will fix a single / so check multiple things just in case
items = filter(None, next.split('/'))
has_url = any(x in next for x in ['//', ':', 'ftp', 'http', 'rss', 'xml'])
if has_url and len(items) > 1:
if items[1] != current.request.env.http_host:
next = None
return next
def _get_user_id(self):