Show More
| @@ -76,6 +76,26 b' def _store_user_in_session(session, user' | |||
|
|
76 | 76 | return headers |
|
|
77 | 77 | |
|
|
78 | 78 | |
|
|
79 | def get_came_from(request): | |
|
|
80 | came_from = safe_str(request.GET.get('came_from', '')) | |
|
|
81 | parsed = urlparse.urlparse(came_from) | |
|
|
82 | allowed_schemes = ['http', 'https'] | |
|
|
83 | if parsed.scheme and parsed.scheme not in allowed_schemes: | |
|
|
84 | log.error('Suspicious URL scheme detected %s for url %s' % | |
|
|
85 | (parsed.scheme, parsed)) | |
|
|
86 | came_from = url('home') | |
|
|
87 | elif parsed.netloc and request.host != parsed.netloc: | |
|
|
88 | log.error('Suspicious NETLOC detected %s for url %s server url ' | |
|
|
89 | 'is: %s' % (parsed.netloc, parsed, request.host)) | |
|
|
90 | came_from = url('home') | |
|
|
91 | elif any(bad_str in parsed.path for bad_str in ('\r', '\n')): | |
|
|
92 | log.error('Header injection detected `%s` for url %s server url ' % | |
|
|
93 | (parsed.path, parsed)) | |
|
|
94 | came_from = url('home') | |
|
|
95 | ||
|
|
96 | return came_from | |
|
|
97 | ||
|
|
98 | ||
|
|
79 | 99 | class LoginView(object): |
|
|
80 | 100 | |
|
|
81 | 101 | def __init__(self, context, request): |
| @@ -84,35 +104,9 b' class LoginView(object):' | |||
|
|
84 | 104 | self.session = request.session |
|
|
85 | 105 | self._rhodecode_user = request.user |
|
|
86 | 106 | |
|
|
87 | def _validate_came_from(self, came_from): | |
|
|
88 | if not came_from: | |
|
|
89 | return came_from | |
|
|
90 | ||
|
|
91 | parsed = urlparse.urlparse(came_from) | |
|
|
92 | allowed_schemes = ['http', 'https'] | |
|
|
93 | if parsed.scheme and parsed.scheme not in allowed_schemes: | |
|
|
94 | log.error('Suspicious URL scheme detected %s for url %s' % | |
|
|
95 | (parsed.scheme, parsed)) | |
|
|
96 | came_from = url('home') | |
|
|
97 | elif parsed.netloc and self.request.host != parsed.netloc: | |
|
|
98 | log.error('Suspicious NETLOC detected %s for url %s server url ' | |
|
|
99 | 'is: %s' % (parsed.netloc, parsed, self.request.host)) | |
|
|
100 | came_from = url('home') | |
|
|
101 | if any(bad_str in parsed.path for bad_str in ('\r', '\n')): | |
|
|
102 | log.error('Header injection detected `%s` for url %s server url ' % | |
|
|
103 | (parsed.path, parsed)) | |
|
|
104 | came_from = url('home') | |
|
|
105 | return came_from | |
|
|
106 | ||
|
|
107 | def _get_came_from(self): | |
|
|
108 | _default_came_from = url('home') | |
|
|
109 | came_from = self._validate_came_from( | |
|
|
110 | safe_str(self.request.GET.get('came_from', ''))) | |
|
|
111 | return came_from or _default_came_from | |
|
|
112 | ||
|
|
113 | 107 | def _get_template_context(self): |
|
|
114 | 108 | return { |
|
|
115 |
'came_from': self. |
|
|
|
109 | 'came_from': get_came_from(self.request), | |
|
|
116 | 110 | 'defaults': {}, |
|
|
117 | 111 | 'errors': {}, |
|
|
118 | 112 | } |
| @@ -125,7 +119,7 b' class LoginView(object):' | |||
|
|
125 | 119 | |
|
|
126 | 120 | # redirect if already logged in |
|
|
127 | 121 | if user.is_authenticated and not user.is_default and user.ip_allowed: |
|
|
128 |
raise HTTPFound(self. |
|
|
|
122 | raise HTTPFound(get_came_from(self.request)) | |
|
|
129 | 123 | |
|
|
130 | 124 | return self._get_template_context() |
|
|
131 | 125 | |
| @@ -133,7 +127,7 b' class LoginView(object):' | |||
|
|
133 | 127 | route_name='login', request_method='POST', |
|
|
134 | 128 | renderer='rhodecode:templates/login.html') |
|
|
135 | 129 | def login_post(self): |
|
|
136 |
came_from = self. |
|
|
|
130 | came_from = get_came_from(self.request) | |
|
|
137 | 131 | session = self.request.session |
|
|
138 | 132 | login_form = LoginForm()() |
|
|
139 | 133 | |
General Comments 0
You need to be logged in to leave comments.
Login now