Changeset - 38d1c99cd000
Parent rev.
Child rev.
[Not reviewed]
stable
0 2 0
Søren Løvborg - 10 years ago 2015-09-23 16:09:14
sorenl@unity3d.com
login: enhance came_from validation

Drop urlparse and just validate that came_from is a RFC 3986 compliant path.

This blocks an HTTP header injection vulnerability discovered by
Gjoko Krstic <gjoko@zeroscience.mk> of Zero Science Lab (CVE-2015-5285)
2 files changed with 17 insertions and 5 deletions:
kallithea/controllers/login.py
14
5
kallithea/tests/functional/test_login.py
3
0 comments (0 inline, 0 general)
kallithea/controllers/login.py
Show inline comments
 
@@ -18,26 +18,26 @@ kallithea.controllers.login
 
Login controller for Kallithea
 

			




	
	
	
		
 
This file was forked by the Kallithea project in July 2014.

			




	
	
	
		
 
Original author and date, and relevant copyright and licensing information is below:

			




	
	
	
		
 
:created_on: Apr 22, 2010

			




	
	
	
		
 
:author: marcink

			




	
	
	
		
 
:copyright: (c) 2013 RhodeCode GmbH, and others.

			




	
	
	
		
 
:license: GPLv3, see LICENSE.md for more details.

			




	
	
	
		
 
"""

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
import logging

			




	
	
	
		
 
import re

			




	
	
	
		
 
import formencode

			




	
	
	
		
 
import urlparse

			




	
	
	
		
 

			




	
	
	
		
 
from formencode import htmlfill

			




	
	
	
		
 
from webob.exc import HTTPFound, HTTPBadRequest

			




	
	
	
		
 
from pylons.i18n.translation import _

			




	
	
	
		
 
from pylons.controllers.util import redirect

			




	
	
	
		
 
from pylons import request, session, tmpl_context as c, url

			




	
	
	
		
 

			




	
	
	
		
 
import kallithea.lib.helpers as h

			




	
	
	
		
 
from kallithea.lib.auth import AuthUser, HasPermissionAnyDecorator

			




	
	
	
		
 
from kallithea.lib.base import BaseController, log_in_user, render

			




	
	
	
		
 
from kallithea.lib.exceptions import UserCreationError

			




	
	
	
		
 
from kallithea.lib.utils2 import safe_str

			




	
	
		
 
@@ -47,28 +47,37 @@ from kallithea.model.forms import \

			




	
	
	
		
 
from kallithea.model.user import UserModel

			




	
	
	
		
 
from kallithea.model.meta import Session

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
log = logging.getLogger(__name__)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class LoginController(BaseController):

			




	
	
	
		
 

			




	
	
	
		
 
    def __before__(self):

			




	
	
	
		
 
        super(LoginController, self).__before__()

			




	
	
	
		
 

			




	
	
	
		
 
    def _validate_came_from(self, came_from):

			




	
	
	
		
 
        """Return True if came_from is valid and can and should be used"""

			




	
	
	
		
 
        url = urlparse.urlsplit(came_from)

			




	
	
	
		
 
        return not url.scheme and not url.netloc

			




	
	
	
		
 
    def _validate_came_from(self, came_from,

			




	
	
	
		
 
            _re=re.compile(r"/(?!/)[-!#$%&'()*+,./:;=?@_~0-9A-Za-z]*$")):

			




	
	
	
		
 
        """Return True if came_from is valid and can and should be used.

			




	
	
	
		
 

			




	
	
	
		
 
        Determines if a URI reference is valid and relative to the origin;

			




	
	
	
		
 
        or in RFC 3986 terms, whether it matches this production:

			




	
	
	
		
 

			




	
	
	
		
 
          origin-relative-ref = path-absolute [ "?" query ] [ "#" fragment ]

			




	
	
	
		
 

			




	
	
	
		
 
        with the exception that '%' escapes are not validated and '#' is

			




	
	
	
		
 
        allowed inside the fragment part.

			




	
	
	
		
 
        """

			




	
	
	
		
 
        return _re.match(came_from) is not None

			




	
	
	
		
 

			




	
	
	
		
 
    def index(self):

			




	
	
	
		
 
        c.came_from = safe_str(request.GET.get('came_from', ''))

			




	
	
	
		
 
        if c.came_from:

			




	
	
	
		
 
            if not self._validate_came_from(c.came_from):

			




	
	
	
		
 
                log.error('Invalid came_from (not server-relative): %r', c.came_from)

			




	
	
	
		
 
                raise HTTPBadRequest()

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            c.came_from = url('home')

			




	
	
	
		
 

			




	
	
	
		
 
        not_default = self.authuser.username != User.DEFAULT_USER

			




	
	
	
		
 
        ip_allowed = AuthUser.check_ip_allowed(self.authuser, self.ip_addr)

			




        

    


    
    

    

        

                

                    kallithea/tests/functional/test_login.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -98,24 +98,27 @@ class TestLoginController(TestController

			




	
	
	
		
 

			




	
	
	
		
 
        # Verify that the login session has been terminated.

			




	
	
	
		
 
        response = self.app.get(url(controller='login', action='index'))

			




	
	
	
		
 
        self.assertNotIn('authuser', response.session)

			




	
	
	
		
 

			




	
	
	
		
 
    @parameterized.expand([

			




	
	
	
		
 
          ('data:text/html,<script>window.alert("xss")</script>',),

			




	
	
	
		
 
          ('mailto:test@example.com',),

			




	
	
	
		
 
          ('file:///etc/passwd',),

			




	
	
	
		
 
          ('ftp://ftp.example.com',),

			




	
	
	
		
 
          ('http://other.example.com/bl%C3%A5b%C3%A6rgr%C3%B8d',),

			




	
	
	
		
 
          ('//evil.example.com/',),

			




	
	
	
		
 
          ('/\r\nX-Header-Injection: boo',),

			




	
	
	
		
 
          ('/invälid_url_bytes',),

			




	
	
	
		
 
          ('non-absolute-path',),

			




	
	
	
		
 
    ])

			




	
	
	
		
 
    def test_login_bad_came_froms(self, url_came_from):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='index',

			




	
	
	
		
 
                                     came_from=url_came_from),

			




	
	
	
		
 
                                 {'username': TEST_USER_ADMIN_LOGIN,

			




	
	
	
		
 
                                  'password': TEST_USER_ADMIN_PASS},

			




	
	
	
		
 
                                 status=400)

			




	
	
	
		
 

			




	
	
	
		
 
    def test_login_short_password(self):

			




	
	
	
		
 
        response = self.app.post(url(controller='login', action='index'),

			




	
	
	
		
 
                                 {'username': TEST_USER_ADMIN_LOGIN,

			




	
	
	
		
 
                                  'password': 'as'})

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.