##// END OF EJS Templates
security fix, inspired by django security...
marcink -
r2678:04d2bcfb beta
parent child Browse files
Show More
@@ -26,6 +26,7 b''
26 26 import logging
27 27 import formencode
28 28 import datetime
29 import urlparse
29 30
30 31 from formencode import htmlfill
31 32 from webob.exc import HTTPFound
@@ -96,6 +97,19 b' class LoginController(BaseController):'
96 97 # send set-cookie headers back to response to update cookie
97 98 headers = [('Set-Cookie', session.request['cookie_out'])]
98 99
100 allowed_schemes = ['http', 'https', 'ftp']
101 parsed = urlparse.urlparse(c.came_from)
102 server_parsed = urlparse.urlparse(url.current())
103
104 if parsed.scheme and parsed.scheme not in allowed_schemes:
105 log.error('Suspicious URL scheme detected %s for url %s' %
106 (parsed.scheme, parsed))
107 c.came_from = url('home')
108 elif server_parsed.netloc != parsed.netloc:
109 log.error('Suspicious NETLOC detected %s for url %s'
110 'server url is: %s' %
111 (parsed.netloc, parsed, server_parsed))
112 c.came_from = url('home')
99 113 if c.came_from:
100 114 raise HTTPFound(location=c.came_from, headers=headers)
101 115 else:
General Comments 0
You need to be logged in to leave comments. Login now