From d95acb68971ec9096f1d685de0bbc26d7922645b Mon Sep 17 00:00:00 2001 From: Th3R3p0 Date: Thu, 30 Jun 2016 17:24:47 -0400 Subject: [PATCH] =?UTF-8?q?Fixed=20open=20redirect=20security=20vulnerabil?= =?UTF-8?q?ity.=20The=20previous=20filter=20searched=20for=20two=20forward?= =?UTF-8?q?=20slashes=20"//"=20in=20the=20"=5Fnext=E2=80=9D=20parameter=20?= =?UTF-8?q?and=20if=20the=20two=20forward=20slashes=20were=20found=20it=20?= =?UTF-8?q?would=20check=20the=20URI=20and=20determine=20if=20the=20hostna?= =?UTF-8?q?me=20matched=20the=20hostname=20of=20the=20web=20server.=20If?= =?UTF-8?q?=20not,=20it=20would=20change=20the=20next=20variable=20to=20th?= =?UTF-8?q?e=20None.=20However,=20browsers=20don't=20require=20two=20forwa?= =?UTF-8?q?rd=20slashes.=20As=20a=20feature,=20browsers=20accept=20typos?= =?UTF-8?q?=20such=20as=20http:google.com=20or=20http:/google.com=20and=20?= =?UTF-8?q?redirect=20to=20http://google.com.=20This=20can=20be=20used=20t?= =?UTF-8?q?o=20leverage=20an=20open=20redirect=20attack=20even=20with=20th?= =?UTF-8?q?e=20current=20filter.=20This=20commit=20fixes=20the=20open=20re?= =?UTF-8?q?direct=20vulnerability=20in=20the=20=5Fnext=20get=20parameter.?= =?UTF-8?q?=20Thanks=20to=20jnbrex=20for=20helping=20debug/write=20the=20p?= =?UTF-8?q?atch=20for=20this=20vulnerability.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- gluon/tools.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/gluon/tools.py b/gluon/tools.py index 7bfa4b7f..98e6bc02 100644 --- a/gluon/tools.py +++ b/gluon/tools.py @@ -1921,8 +1921,11 @@ class Auth(object): # Prevent an attacker from adding an arbitrary url after the # _next variable in the request. items = next.split('/') - if '//' in next and items[2] != current.request.env.http_host: - next = None + if next: + if next[0] != '/': + if '://' not in next or next.split('://')[1].split('/')[0] != current.request.env.http_host: + if ':' in next.split('/')[0]: + next = None return next def _get_user_id(self):