##// END OF EJS Templates
upstream » kallithea
RSS

Clone from https://kallithea-scm.org/repos/kallithea

security fix, inspired by django security...
marcink -
r2678:04d2bcfb beta
parent child Browse files
Show More
Show file before | Show file after | Hide comments
@@ -26,6 +26,7 b''
26 import logging
26 import logging
27 import formencode
27 import formencode
28 import datetime
28 import datetime
29 import urlparse
29
30
30 from formencode import htmlfill
31 from formencode import htmlfill
31 from webob.exc import HTTPFound
32 from webob.exc import HTTPFound
@@ -96,6 +97,19 b' class LoginController(BaseController):'
96 # send set-cookie headers back to response to update cookie
97 # send set-cookie headers back to response to update cookie
97 headers = [('Set-Cookie', session.request['cookie_out'])]
98 headers = [('Set-Cookie', session.request['cookie_out'])]
98
99
100 allowed_schemes = ['http', 'https', 'ftp']
101 parsed = urlparse.urlparse(c.came_from)
102 server_parsed = urlparse.urlparse(url.current())
103
104 if parsed.scheme and parsed.scheme not in allowed_schemes:
105 log.error('Suspicious URL scheme detected %s for url %s' %
106 (parsed.scheme, parsed))
107 c.came_from = url('home')
108 elif server_parsed.netloc != parsed.netloc:
109 log.error('Suspicious NETLOC detected %s for url %s'
110 'server url is: %s' %
111 (parsed.netloc, parsed, server_parsed))
112 c.came_from = url('home')
99 if c.came_from:
113 if c.came_from:
100 raise HTTPFound(location=c.came_from, headers=headers)
114 raise HTTPFound(location=c.came_from, headers=headers)
101 else:
115 else:
General Comments 0
You need to be logged in to leave comments. Login now