upstream/kallithea Commit - r5510:a0a9ae75

Søren Løvborg -

r5510:a0a9ae75 stable

parent child

kallithea/controllers/login.py

0 +2 -15

@@ -58,21 +58,8 b' class LoginController(BaseController):'
58		58
59	def _validate_came_from(self, came_from):	59	def _validate_came_from(self, came_from):
60	"""Return True if came_from is valid and can and should be used"""	60	"""Return True if came_from is valid and can and should be used"""
61	if not came_from:	61	url = urlparse.urlsplit(came_from)
62	return False	62	return not url.scheme and not url.netloc
63
64	parsed = urlparse.urlparse(came_from)
65	server_parsed = urlparse.urlparse(url.current())
66	allowed_schemes = ['http', 'https']
67	if parsed.scheme and parsed.scheme not in allowed_schemes:
68	log.error('Suspicious URL scheme detected %s for url %s',
69	parsed.scheme, parsed)
70	return False
71	if server_parsed.netloc != parsed.netloc:
72	log.error('Suspicious NETLOC detected %s for url %s server url '
73	'is: %s' % (parsed.netloc, parsed, server_parsed))
74	return False
75	return True
76		63
77	def index(self):	64	def index(self):
78	c.came_from = safe_str(request.GET.pop('came_from', ''))	65	c.came_from = safe_str(request.GET.pop('came_from', ''))

kallithea/tests/functional/test_login.py

0 +3 -7

                       ('file:///etc/passwd',),
                       ('ftp://ftp.example.com',),
                       ('http://other.example.com/bl%C3%A5b%C3%A6rgr%C3%B8d',),
+                      ('//evil.example.com/',),
                 ])
                 def test_login_bad_came_froms(self, url_came_from):
                     response = self.app.post(url(controller='login', action='index',
                                                  came_from=url_came_from),
                                              {'username': TEST_USER_ADMIN_LOGIN,
-                                              'password': TEST_USER_ADMIN_PASS})
+                                              'password': TEST_USER_ADMIN_PASS},
-                    self.assertEqual(response.status, '302 Found')
+                                             status=400)
-                    self.assertEqual(response._environ['paste.testing_variables']
-                                     ['tmpl_context'].came_from, '/')
-                    response = response.follow()
-                    self.assertEqual(response.status, '200 OK')
                 def test_login_short_password(self):
                     response = self.app.post(url(controller='login', action='index'),

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages