upstream/kallithea Commit - r2678:04d2bcfb

security fix, inspired by django security...

marcink -

r2678:04d2bcfb beta

parent child

rhodecode/controllers/login.py

0 +14 0

              import logging
              import formencode
              import datetime
+             import urlparse
              from formencode import htmlfill
              from webob.exc import HTTPFound
                                  # send set-cookie headers back to response to update cookie
                                  headers = [('Set-Cookie', session.request['cookie_out'])]
+                             allowed_schemes = ['http', 'https', 'ftp']
+                             parsed = urlparse.urlparse(c.came_from)
+                             server_parsed = urlparse.urlparse(url.current())
+                             if parsed.scheme and parsed.scheme not in allowed_schemes:
+                                 log.error('Suspicious URL scheme detected %s for url %s' %
+                                           (parsed.scheme, parsed))
+                                 c.came_from = url('home')
+                             elif server_parsed.netloc != parsed.netloc:
+                                 log.error('Suspicious NETLOC detected %s for url %s'
+                                           'server url is: %s' %
+                                           (parsed.netloc, parsed, server_parsed))
+                                 c.came_from = url('home')
                              if c.came_from:
                                  raise HTTPFound(location=c.came_from, headers=headers)
                              else:

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages