Show More
@@ -26,6 +26,7 b'' | |||
|
26 | 26 | import logging |
|
27 | 27 | import formencode |
|
28 | 28 | import datetime |
|
29 | import urlparse | |
|
29 | 30 | |
|
30 | 31 | from formencode import htmlfill |
|
31 | 32 | from webob.exc import HTTPFound |
@@ -96,6 +97,19 b' class LoginController(BaseController):' | |||
|
96 | 97 | # send set-cookie headers back to response to update cookie |
|
97 | 98 | headers = [('Set-Cookie', session.request['cookie_out'])] |
|
98 | 99 | |
|
100 | allowed_schemes = ['http', 'https', 'ftp'] | |
|
101 | parsed = urlparse.urlparse(c.came_from) | |
|
102 | server_parsed = urlparse.urlparse(url.current()) | |
|
103 | ||
|
104 | if parsed.scheme and parsed.scheme not in allowed_schemes: | |
|
105 | log.error('Suspicious URL scheme detected %s for url %s' % | |
|
106 | (parsed.scheme, parsed)) | |
|
107 | c.came_from = url('home') | |
|
108 | elif server_parsed.netloc != parsed.netloc: | |
|
109 | log.error('Suspicious NETLOC detected %s for url %s' | |
|
110 | 'server url is: %s' % | |
|
111 | (parsed.netloc, parsed, server_parsed)) | |
|
112 | c.came_from = url('home') | |
|
99 | 113 | if c.came_from: |
|
100 | 114 | raise HTTPFound(location=c.came_from, headers=headers) |
|
101 | 115 | else: |
General Comments 0
You need to be logged in to leave comments.
Login now