Changeset - 04d2bcfbe7a6
Parent rev.
Child rev.
[Not reviewed]
beta
0 1 0
Marcin Kuzminski - 13 years ago 2012-07-31 00:27:22
marcin@python-works.com
security fix, inspired by django security
announcement: https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
- filter out bad schemes and netloc differences
1 file changed with 14 insertions and 0 deletions:
rhodecode/controllers/login.py
14
0 comments (0 inline, 0 general)
rhodecode/controllers/login.py
Show inline comments
 
@@ -23,12 +23,13 @@
 
# You should have received a copy of the GNU General Public License
 
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 

			




	
	
	
		
 
import logging

			




	
	
	
		
 
import formencode

			




	
	
	
		
 
import datetime

			




	
	
	
		
 
import urlparse

			




	
	
	
		
 

			




	
	
	
		
 
from formencode import htmlfill

			




	
	
	
		
 
from webob.exc import HTTPFound

			




	
	
	
		
 
from pylons.i18n.translation import _

			




	
	
	
		
 
from pylons.controllers.util import abort, redirect

			




	
	
	
		
 
from pylons import request, response, session, tmpl_context as c, url

			




	
	
		
 
@@ -93,12 +94,25 @@ class LoginController(BaseController):

			




	
	
	
		
 
                # we set new cookie

			




	
	
	
		
 
                headers = None

			




	
	
	
		
 
                if session.request['set_cookie']:

			




	
	
	
		
 
                    # send set-cookie headers back to response to update cookie

			




	
	
	
		
 
                    headers = [('Set-Cookie', session.request['cookie_out'])]

			




	
	
	
		
 

			




	
	
	
		
 
                allowed_schemes = ['http', 'https', 'ftp']

			




	
	
	
		
 
                parsed = urlparse.urlparse(c.came_from)

			




	
	
	
		
 
                server_parsed = urlparse.urlparse(url.current())

			




	
	
	
		
 

			




	
	
	
		
 
                if parsed.scheme and parsed.scheme not in allowed_schemes:

			




	
	
	
		
 
                    log.error('Suspicious URL scheme detected %s for url %s' %

			




	
	
	
		
 
                              (parsed.scheme, parsed))

			




	
	
	
		
 
                    c.came_from = url('home')

			




	
	
	
		
 
                elif server_parsed.netloc != parsed.netloc:

			




	
	
	
		
 
                    log.error('Suspicious NETLOC detected %s for url %s'

			




	
	
	
		
 
                              'server url is: %s' %

			




	
	
	
		
 
                              (parsed.netloc, parsed, server_parsed))

			




	
	
	
		
 
                    c.came_from = url('home')

			




	
	
	
		
 
                if c.came_from:

			




	
	
	
		
 
                    raise HTTPFound(location=c.came_from, headers=headers)

			




	
	
	
		
 
                else:

			




	
	
	
		
 
                    raise HTTPFound(location=url('home'), headers=headers)

			




	
	
	
		
 

			




	
	
	
		
 
            except formencode.Invalid, errors:

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.