upstream/kallithea Commit - r5510:a0a9ae75

Søren Løvborg -

r5510:a0a9ae75 stable

parent child

kallithea/controllers/login.py

0 +2 -15

                  def _validate_came_from(self, came_from):
                      """Return True if came_from is valid and can and should be used"""
-                     if not came_from:
-                         return False
-                     parsed = urlparse.urlparse(came_from)
-                     server_parsed = urlparse.urlparse(url.current())
-                     allowed_schemes = ['http', 'https']
-                     if parsed.scheme and parsed.scheme not in allowed_schemes:
-                         log.error('Suspicious URL scheme detected %s for url %s',
-                                  parsed.scheme, parsed)
-                         return False
-                     if server_parsed.netloc != parsed.netloc:
-                         log.error('Suspicious NETLOC detected %s for url %s server url '
-                                   'is: %s' % (parsed.netloc, parsed, server_parsed))
-                         return False
-                     return True
+                     url = urlparse.urlsplit(came_from)
+                     return not url.scheme and not url.netloc
                  def index(self):
                      c.came_from = safe_str(request.GET.pop('came_from', ''))

kallithea/tests/functional/test_login.py

0 +3 -7

                        ('file:///etc/passwd',),
                        ('ftp://ftp.example.com',),
                        ('http://other.example.com/bl%C3%A5b%C3%A6rgr%C3%B8d',),
+                       ('//evil.example.com/',),
                  ])
                  def test_login_bad_came_froms(self, url_came_from):
                      response = self.app.post(url(controller='login', action='index',
                                                   came_from=url_came_from),
                                               {'username': TEST_USER_ADMIN_LOGIN,
-                                               'password': TEST_USER_ADMIN_PASS})
-                     self.assertEqual(response.status, '302 Found')
-                     self.assertEqual(response._environ['paste.testing_variables']
-                                      ['tmpl_context'].came_from, '/')
-                     response = response.follow()
-                     self.assertEqual(response.status, '200 OK')
+                                               'password': TEST_USER_ADMIN_PASS},
+                                              status=400)
                  def test_login_short_password(self):
                      response = self.app.post(url(controller='login', action='index'),

General Comments 0

You need to be logged in to leave comments. Login now

No TODOs yet

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages