prevent open redirects, thanks Steve Rawlinson

.travis.yml

@@ -1,60 +0,0 @@
-language: python
-
-python:
-  - '2.6'
-  - '2.7'
-  - 'pypy'
-install:
-  - pip install -e .
-env:
-  - DB=sqlite:memory
-  - DB=mysql://root:@localhost/test_w2p
-  - DB=postgres://postgres:@localhost/test_w2p
-  - DB=google:datastore
-#  - DB=google:datastore+ndb
-  - DB=mongodb://mongodb:mongodb@localhost/test_w2p
-  - DB=imap://imap:imap@localhost:993
-before_script:
-  - if [[ $TRAVIS_PYTHON_VERSION != '2.7' ]]; then pip install unittest2; fi
-  - if [[ $TRAVIS_PYTHON_VERSION == '2.7' ]]; then pip install coverage; fi;
-  - if [[ $TRAVIS_PYTHON_VERSION == '2.7' ]]; then pip install python-coveralls; fi
-  - if [[ $DB == postgres* ]]; then pip install psycopg2; fi;
-  - if [[ $TRAVIS_PYTHON_VERSION == '2.5' ]]; then pip install pysqlite; fi
-  - if [[ $DB == mysql* ]]; then mysql -e 'create database test_w2p;'; fi
-  - if [[ $DB == postgres* ]]; then psql -c 'create database test_w2p;' -U postgres; fi
-
-  # Install last sdk for app engine (update only whenever a new release is available)
-  - if [[ $DB == google* ]]; then wget http://googleappengine.googlecode.com/files/google_appengine_1.8.9.zip -nv; fi
-  - if [[ $DB == google* ]]; then unzip -q google_appengine_1.8.9.zip; fi
-  - if [[ $DB == google* ]]; then mv -f ./google_appengine/google ./google; fi
-
-  - if [[ $DB == mongodb* ]]; then pip install pymongo; fi
-  - if [[ $DB == mongodb* ]]; then mongo test_w2p --eval 'db.addUser("mongodb", "mongodb");'; fi
-
-  #Temporal solution to travis issue #155
-  - sudo chmod 777 /dev/shm
-  - sudo rm -rf /dev/shm && sudo ln -s /run/shm /dev/shm
-matrix:
-  exclude:
-    - python: 'pypy'
-      env: DB=postgres://postgres:@localhost/test_w2p
-    - python: 'pypy'
-      env: DB=mysql://root:@localhost/test_w2p
-    - python: 'pypy'
-      env: DB=google:datastore
-    - python: '2.6'
-      env: DB=google:datastore
-#    - python: '2.6'
-#      env: DB=google:datastore+ndb
-
-
-script: export COVERAGE_PROCESS_START=gluon/tests/coverage.ini; ./web2py.py --run_system_tests --with_coverage
-after_success:
-  - if [[ $TRAVIS_PYTHON_VERSION == '2.7' ]]; then coverage combine; fi
-  - if [[ $TRAVIS_PYTHON_VERSION == '2.7' ]]; then coveralls --config_file=gluon/tests/coverage.ini; fi
-  
-notifications:
-  email: true
-
-services: mongodb
-

VERSION

@@ -1 +1 @@
-Version 2.9.5-trunk+timestamp.2014.05.26.23.58.37
+Version 2.9.5-trunk+timestamp.2014.06.07.23.52.05

gluon/tools.py

@@ -998,6 +998,7 @@ class Auth(object):
         retrieve_username_captcha=None,
         retrieve_password_captcha=None,
         captcha=None,
+        prevent_open_redirects=True,
         expiration=3600,            # one hour
         long_expiration=3600 * 30 * 24,  # one month
         remember_me_form=True,
@@ -2327,6 +2328,10 @@ class Auth(object):
 
         ### use session for federated login
         snext = self.get_vars_next()
+        if snext and self.settings.prevent_open_redirects:
+            if not snext.split('/')[2] == request.env.http_host:
+                snext = None
+                
         if snext:
             session._auth_next = snext
         elif session._auth_next: