##// END OF EJS Templates
removed ftp from allowed schemas...
marcink -
r2679:dffb9222 beta
parent child Browse files
Show More
@@ -43,7 +43,6 b' from rhodecode.model.user import UserMod'
43 43 from rhodecode.model.meta import Session
44 44
45 45
46
47 46 log = logging.getLogger(__name__)
48 47
49 48
@@ -54,7 +53,7 b' class LoginController(BaseController):'
54 53
55 54 def index(self):
56 55 # redirect if already logged in
57 c.came_from = request.GET.get('came_from', None)
56 c.came_from = request.GET.get('came_from')
58 57
59 58 if self.rhodecode_user.is_authenticated \
60 59 and self.rhodecode_user.username != 'default':
@@ -97,20 +96,20 b' class LoginController(BaseController):'
97 96 # send set-cookie headers back to response to update cookie
98 97 headers = [('Set-Cookie', session.request['cookie_out'])]
99 98
100 allowed_schemes = ['http', 'https', 'ftp']
101 parsed = urlparse.urlparse(c.came_from)
102 server_parsed = urlparse.urlparse(url.current())
103
104 if parsed.scheme and parsed.scheme not in allowed_schemes:
105 log.error('Suspicious URL scheme detected %s for url %s' %
106 (parsed.scheme, parsed))
107 c.came_from = url('home')
108 elif server_parsed.netloc != parsed.netloc:
109 log.error('Suspicious NETLOC detected %s for url %s'
110 'server url is: %s' %
111 (parsed.netloc, parsed, server_parsed))
112 c.came_from = url('home')
99 allowed_schemes = ['http', 'https']
113 100 if c.came_from:
101 parsed = urlparse.urlparse(c.came_from)
102 server_parsed = urlparse.urlparse(url.current())
103 if parsed.scheme and parsed.scheme not in allowed_schemes:
104 log.error(
105 'Suspicious URL scheme detected %s for url %s' %
106 (parsed.scheme, parsed))
107 c.came_from = url('home')
108 elif server_parsed.netloc != parsed.netloc:
109 log.error('Suspicious NETLOC detected %s for url %s'
110 'server url is: %s' %
111 (parsed.netloc, parsed, server_parsed))
112 c.came_from = url('home')
114 113 raise HTTPFound(location=c.came_from, headers=headers)
115 114 else:
116 115 raise HTTPFound(location=url('home'), headers=headers)
@@ -55,6 +55,25 b' class TestLoginController(TestController'
55 55 self.assertEqual(response.status, '200 OK')
56 56 self.assertTrue('Users administration' in response.body)
57 57
58 @parameterized.expand([
59 ('data:text/html,<script>window.alert("xss")</script>',),
60 ('mailto:test@rhodecode.org',),
61 ('file:///etc/passwd',),
62 ('ftp://some.ftp.server',),
63 ('http://other.domain',),
64 ])
65 def test_login_bad_came_froms(self, url_came_from):
66 response = self.app.post(url(controller='login', action='index',
67 came_from=url_came_from),
68 {'username': 'test_admin',
69 'password': 'test12'})
70 self.assertEqual(response.status, '302 Found')
71 self.assertEqual(response._environ['paste.testing_variables']
72 ['tmpl_context'].came_from, '/')
73 response = response.follow()
74
75 self.assertEqual(response.status, '200 OK')
76
58 77 def test_login_short_password(self):
59 78 response = self.app.post(url(controller='login', action='index'),
60 79 {'username': 'test_admin',
General Comments 0
You need to be logged in to leave comments. Login now