Fixed open redirect security vulnerability. The previous filter searched for two forward slashes "//" in the "_next” parameter and if the two forward slashes were found it would check the URI and determine if the hostname matched the hostname of the web server. If not, it would change the next variable to the None. However, browsers don't require two forward slashes. As a feature, browsers accept typos such as http:google.com or http:/google.com and redirect to http://google.com. This can be used to leverage an open redirect attack even with the current filter. This commit fixes the open redirect vulnerability in the _next get parameter. Thanks to jnbrex for helping debug/write the patch for this vulnerability.

2016-06-30 17:24:47 -04:00
parent 5f80300c5d
commit d95acb6897
1 changed files with 5 additions and 2 deletions
@@ -1921,8 +1921,11 @@ class Auth(object):
            # Prevent an attacker from adding an arbitrary url after the
            # _next variable in the request.
            items = next.split('/')
-            if '//' in next and items[2] != current.request.env.http_host:
-                next = None
+            if next:
+                if next[0] != '/':
+                    if '://' not in next or next.split('://')[1].split('/')[0] != current.request.env.http_host:
+                        if ':' in next.split('/')[0]:
+                            next = None
        return next

    def _get_user_id(self):