Show More
@@ -43,7 +43,6 b' from rhodecode.model.user import UserMod' | |||
|
43 | 43 | from rhodecode.model.meta import Session |
|
44 | 44 | |
|
45 | 45 | |
|
46 | ||
|
47 | 46 | log = logging.getLogger(__name__) |
|
48 | 47 | |
|
49 | 48 | |
@@ -54,7 +53,7 b' class LoginController(BaseController):' | |||
|
54 | 53 | |
|
55 | 54 | def index(self): |
|
56 | 55 | # redirect if already logged in |
|
57 |
c.came_from = request.GET.get('came_from' |
|
|
56 | c.came_from = request.GET.get('came_from') | |
|
58 | 57 | |
|
59 | 58 | if self.rhodecode_user.is_authenticated \ |
|
60 | 59 | and self.rhodecode_user.username != 'default': |
@@ -97,20 +96,20 b' class LoginController(BaseController):' | |||
|
97 | 96 | # send set-cookie headers back to response to update cookie |
|
98 | 97 | headers = [('Set-Cookie', session.request['cookie_out'])] |
|
99 | 98 | |
|
100 |
allowed_schemes = ['http', 'https' |
|
|
101 | parsed = urlparse.urlparse(c.came_from) | |
|
102 | server_parsed = urlparse.urlparse(url.current()) | |
|
103 | ||
|
104 | if parsed.scheme and parsed.scheme not in allowed_schemes: | |
|
105 | log.error('Suspicious URL scheme detected %s for url %s' % | |
|
106 | (parsed.scheme, parsed)) | |
|
107 | c.came_from = url('home') | |
|
108 | elif server_parsed.netloc != parsed.netloc: | |
|
109 | log.error('Suspicious NETLOC detected %s for url %s' | |
|
110 | 'server url is: %s' % | |
|
111 | (parsed.netloc, parsed, server_parsed)) | |
|
112 | c.came_from = url('home') | |
|
99 | allowed_schemes = ['http', 'https'] | |
|
113 | 100 | if c.came_from: |
|
101 | parsed = urlparse.urlparse(c.came_from) | |
|
102 | server_parsed = urlparse.urlparse(url.current()) | |
|
103 | if parsed.scheme and parsed.scheme not in allowed_schemes: | |
|
104 | log.error( | |
|
105 | 'Suspicious URL scheme detected %s for url %s' % | |
|
106 | (parsed.scheme, parsed)) | |
|
107 | c.came_from = url('home') | |
|
108 | elif server_parsed.netloc != parsed.netloc: | |
|
109 | log.error('Suspicious NETLOC detected %s for url %s' | |
|
110 | 'server url is: %s' % | |
|
111 | (parsed.netloc, parsed, server_parsed)) | |
|
112 | c.came_from = url('home') | |
|
114 | 113 | raise HTTPFound(location=c.came_from, headers=headers) |
|
115 | 114 | else: |
|
116 | 115 | raise HTTPFound(location=url('home'), headers=headers) |
@@ -55,6 +55,25 b' class TestLoginController(TestController' | |||
|
55 | 55 | self.assertEqual(response.status, '200 OK') |
|
56 | 56 | self.assertTrue('Users administration' in response.body) |
|
57 | 57 | |
|
58 | @parameterized.expand([ | |
|
59 | ('data:text/html,<script>window.alert("xss")</script>',), | |
|
60 | ('mailto:test@rhodecode.org',), | |
|
61 | ('file:///etc/passwd',), | |
|
62 | ('ftp://some.ftp.server',), | |
|
63 | ('http://other.domain',), | |
|
64 | ]) | |
|
65 | def test_login_bad_came_froms(self, url_came_from): | |
|
66 | response = self.app.post(url(controller='login', action='index', | |
|
67 | came_from=url_came_from), | |
|
68 | {'username': 'test_admin', | |
|
69 | 'password': 'test12'}) | |
|
70 | self.assertEqual(response.status, '302 Found') | |
|
71 | self.assertEqual(response._environ['paste.testing_variables'] | |
|
72 | ['tmpl_context'].came_from, '/') | |
|
73 | response = response.follow() | |
|
74 | ||
|
75 | self.assertEqual(response.status, '200 OK') | |
|
76 | ||
|
58 | 77 | def test_login_short_password(self): |
|
59 | 78 | response = self.app.post(url(controller='login', action='index'), |
|
60 | 79 | {'username': 'test_admin', |
General Comments 0
You need to be logged in to leave comments.
Login now