##// END OF EJS Templates
removed ftp from allowed schemas...
marcink -
r2679:dffb9222 beta
parent child Browse files
Show More
@@ -43,7 +43,6 b' from rhodecode.model.user import UserMod'
43 from rhodecode.model.meta import Session
43 from rhodecode.model.meta import Session
44
44
45
45
46
47 log = logging.getLogger(__name__)
46 log = logging.getLogger(__name__)
48
47
49
48
@@ -54,7 +53,7 b' class LoginController(BaseController):'
54
53
55 def index(self):
54 def index(self):
56 # redirect if already logged in
55 # redirect if already logged in
57 c.came_from = request.GET.get('came_from', None)
56 c.came_from = request.GET.get('came_from')
58
57
59 if self.rhodecode_user.is_authenticated \
58 if self.rhodecode_user.is_authenticated \
60 and self.rhodecode_user.username != 'default':
59 and self.rhodecode_user.username != 'default':
@@ -97,20 +96,20 b' class LoginController(BaseController):'
97 # send set-cookie headers back to response to update cookie
96 # send set-cookie headers back to response to update cookie
98 headers = [('Set-Cookie', session.request['cookie_out'])]
97 headers = [('Set-Cookie', session.request['cookie_out'])]
99
98
100 allowed_schemes = ['http', 'https', 'ftp']
99 allowed_schemes = ['http', 'https']
101 parsed = urlparse.urlparse(c.came_from)
102 server_parsed = urlparse.urlparse(url.current())
103
104 if parsed.scheme and parsed.scheme not in allowed_schemes:
105 log.error('Suspicious URL scheme detected %s for url %s' %
106 (parsed.scheme, parsed))
107 c.came_from = url('home')
108 elif server_parsed.netloc != parsed.netloc:
109 log.error('Suspicious NETLOC detected %s for url %s'
110 'server url is: %s' %
111 (parsed.netloc, parsed, server_parsed))
112 c.came_from = url('home')
113 if c.came_from:
100 if c.came_from:
101 parsed = urlparse.urlparse(c.came_from)
102 server_parsed = urlparse.urlparse(url.current())
103 if parsed.scheme and parsed.scheme not in allowed_schemes:
104 log.error(
105 'Suspicious URL scheme detected %s for url %s' %
106 (parsed.scheme, parsed))
107 c.came_from = url('home')
108 elif server_parsed.netloc != parsed.netloc:
109 log.error('Suspicious NETLOC detected %s for url %s'
110 'server url is: %s' %
111 (parsed.netloc, parsed, server_parsed))
112 c.came_from = url('home')
114 raise HTTPFound(location=c.came_from, headers=headers)
113 raise HTTPFound(location=c.came_from, headers=headers)
115 else:
114 else:
116 raise HTTPFound(location=url('home'), headers=headers)
115 raise HTTPFound(location=url('home'), headers=headers)
@@ -55,6 +55,25 b' class TestLoginController(TestController'
55 self.assertEqual(response.status, '200 OK')
55 self.assertEqual(response.status, '200 OK')
56 self.assertTrue('Users administration' in response.body)
56 self.assertTrue('Users administration' in response.body)
57
57
58 @parameterized.expand([
59 ('data:text/html,<script>window.alert("xss")</script>',),
60 ('mailto:test@rhodecode.org',),
61 ('file:///etc/passwd',),
62 ('ftp://some.ftp.server',),
63 ('http://other.domain',),
64 ])
65 def test_login_bad_came_froms(self, url_came_from):
66 response = self.app.post(url(controller='login', action='index',
67 came_from=url_came_from),
68 {'username': 'test_admin',
69 'password': 'test12'})
70 self.assertEqual(response.status, '302 Found')
71 self.assertEqual(response._environ['paste.testing_variables']
72 ['tmpl_context'].came_from, '/')
73 response = response.follow()
74
75 self.assertEqual(response.status, '200 OK')
76
58 def test_login_short_password(self):
77 def test_login_short_password(self):
59 response = self.app.post(url(controller='login', action='index'),
78 response = self.app.post(url(controller='login', action='index'),
60 {'username': 'test_admin',
79 {'username': 'test_admin',
General Comments 0
You need to be logged in to leave comments. Login now