Open redirect attacks should be caught for all functions that use the _next variable (for example: logout()) instead of just for the login() function.

2015-07-01 18:38:43 -04:00
parent 896b45b838
commit f9cd7e4ef4
1 changed files with 6 additions and 4 deletions
@@ -1541,6 +1541,12 @@ class Auth(object):
        next = current.request.vars._next
        if isinstance(next, (list, tuple)):
            next = next[0]
+        if next and self.settings.prevent_open_redirect_attacks:
+            # Prevent an attacker from adding an arbitrary url after the
+            # _next variable in the request.
+            items = next.split('/')
+            if '//' in next and items[2] != current.request.env.http_host:
+                next = None            
        return next

    def _get_user_id(self):
@@ -2513,10 +2519,6 @@ class Auth(object):

        ### use session for federated login
        snext = self.get_vars_next()
-        if snext and self.settings.prevent_open_redirect_attacks:
-            items = snext.split('/')
-            if '//' in snext and items[2] != request.env.http_host:
-                snext = None

        if snext:
            session._auth_next = snext