Show More
| @@ -1,4 +1,4 b'' | |||
|
|
1 | # -*- coding: utf-8 -*- | |
|
|
1 | ||
|
|
2 | 2 | |
|
|
3 | 3 | # Copyright (C) 2016-2020 RhodeCode GmbH |
|
|
4 | 4 | # |
| @@ -18,8 +18,6 b'' | |||
|
|
18 | 18 | # RhodeCode Enterprise Edition, including its added features, Support services, |
|
|
19 | 19 | # and proprietary license terms, please see https://rhodecode.com/licenses/ |
|
|
20 | 20 | |
|
|
21 | import json | |
|
|
22 | ||
|
|
23 | 21 | import pytest |
|
|
24 | 22 | |
|
|
25 | 23 | from . import assert_and_get_main_filter_content |
| @@ -27,6 +25,7 b' from rhodecode.tests import TestControll' | |||
|
|
27 | 25 | from rhodecode.tests.fixture import Fixture |
|
|
28 | 26 | |
|
|
29 | 27 | from rhodecode.lib.utils import map_groups |
|
|
28 | from rhodecode.lib.ext_json import json | |
|
|
30 | 29 | from rhodecode.model.repo import RepoModel |
|
|
31 | 30 | from rhodecode.model.repo_group import RepoGroupModel |
|
|
32 | 31 | from rhodecode.model.db import Session, Repository, RepoGroup |
| @@ -35,7 +34,9 b' fixture = Fixture()' | |||
|
|
35 | 34 | |
|
|
36 | 35 | |
|
|
37 | 36 | def route_path(name, params=None, **kwargs): |
|
|
38 |
import urllib.request |
|
|
|
37 | import urllib.request | |
|
|
38 | import urllib.parse | |
|
|
39 | import urllib.error | |
|
|
39 | 40 | |
|
|
40 | 41 | base_url = { |
|
|
41 | 42 | 'goto_switcher_data': '/_goto_data', |
| @@ -1,4 +1,4 b'' | |||
|
|
1 | # -*- coding: utf-8 -*- | |
|
|
1 | ||
|
|
2 | 2 | |
|
|
3 | 3 | # Copyright (C) 2016-2020 RhodeCode GmbH |
|
|
4 | 4 | # |
| @@ -91,6 +91,7 b' def store_user_in_session(session, usern' | |||
|
|
91 | 91 | def get_came_from(request): |
|
|
92 | 92 | came_from = safe_str(request.GET.get('came_from', '')) |
|
|
93 | 93 | parsed = urllib.parse.urlparse(came_from) |
|
|
94 | ||
|
|
94 | 95 | allowed_schemes = ['http', 'https'] |
|
|
95 | 96 | default_came_from = h.route_path('home') |
|
|
96 | 97 | if parsed.scheme and parsed.scheme not in allowed_schemes: |
| @@ -101,7 +102,7 b' def get_came_from(request):' | |||
|
|
101 | 102 | log.error('Suspicious NETLOC detected %s for url %s server url ' |
|
|
102 | 103 | 'is: %s', parsed.netloc, parsed, request.host) |
|
|
103 | 104 | came_from = default_came_from |
|
|
104 |
elif any(bad_ |
|
|
|
105 | elif any(bad_char in came_from for bad_char in ('\r', '\n')): | |
|
|
105 | 106 | log.error('Header injection detected `%s` for url %s server url ', |
|
|
106 | 107 | parsed.path, parsed) |
|
|
107 | 108 | came_from = default_came_from |
| @@ -1,4 +1,4 b'' | |||
|
|
1 | # -*- coding: utf-8 -*- | |
|
|
1 | ||
|
|
2 | 2 | |
|
|
3 | 3 | # Copyright (C) 2016-2020 RhodeCode GmbH |
|
|
4 | 4 | # |
| @@ -17,7 +17,7 b'' | |||
|
|
17 | 17 | # This program is dual-licensed. If you wish to learn more about the |
|
|
18 | 18 | # RhodeCode Enterprise Edition, including its added features, Support services, |
|
|
19 | 19 | # and proprietary license terms, please see https://rhodecode.com/licenses/ |
|
|
20 | # -*- coding: utf-8 -*- | |
|
|
20 | ||
|
|
21 | 21 | |
|
|
22 | 22 | # Copyright (C) 2016-2020 RhodeCode GmbH |
|
|
23 | 23 | # |
| @@ -45,7 +45,9 b' from rhodecode.lib import helpers as h' | |||
|
|
45 | 45 | |
|
|
46 | 46 | |
|
|
47 | 47 | def route_path(name, params=None, **kwargs): |
|
|
48 |
import urllib.request |
|
|
|
48 | import urllib.request | |
|
|
49 | import urllib.parse | |
|
|
50 | import urllib.error | |
|
|
49 | 51 | from rhodecode.apps._base import ADMIN_PREFIX |
|
|
50 | 52 | |
|
|
51 | 53 | base_url = { |
General Comments 0
You need to be logged in to leave comments.
Login now