# HG changeset patch # User Marcin Kuzminski # Date 2012-07-30 22:27:22 # Node ID 04d2bcfbe7a6d7067df135a4f54d15b3f60e4158 # Parent 4fbbc65e8cd5145bd29c2334081a17f1f02fd8ce security fix, inspired by django security announcement: https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/ - filter out bad schemes and netloc differences diff --git a/rhodecode/controllers/login.py b/rhodecode/controllers/login.py --- a/rhodecode/controllers/login.py +++ b/rhodecode/controllers/login.py @@ -26,6 +26,7 @@ import logging import formencode import datetime +import urlparse from formencode import htmlfill from webob.exc import HTTPFound @@ -96,6 +97,19 @@ class LoginController(BaseController): # send set-cookie headers back to response to update cookie headers = [('Set-Cookie', session.request['cookie_out'])] + allowed_schemes = ['http', 'https', 'ftp'] + parsed = urlparse.urlparse(c.came_from) + server_parsed = urlparse.urlparse(url.current()) + + if parsed.scheme and parsed.scheme not in allowed_schemes: + log.error('Suspicious URL scheme detected %s for url %s' % + (parsed.scheme, parsed)) + c.came_from = url('home') + elif server_parsed.netloc != parsed.netloc: + log.error('Suspicious NETLOC detected %s for url %s' + 'server url is: %s' % + (parsed.netloc, parsed, server_parsed)) + c.came_from = url('home') if c.came_from: raise HTTPFound(location=c.came_from, headers=headers) else: