Show More
@@ -43,7 +43,6 b' from rhodecode.model.user import UserMod' | |||||
43 | from rhodecode.model.meta import Session |
|
43 | from rhodecode.model.meta import Session | |
44 |
|
44 | |||
45 |
|
45 | |||
46 |
|
||||
47 | log = logging.getLogger(__name__) |
|
46 | log = logging.getLogger(__name__) | |
48 |
|
47 | |||
49 |
|
48 | |||
@@ -54,7 +53,7 b' class LoginController(BaseController):' | |||||
54 |
|
53 | |||
55 | def index(self): |
|
54 | def index(self): | |
56 | # redirect if already logged in |
|
55 | # redirect if already logged in | |
57 |
c.came_from = request.GET.get('came_from' |
|
56 | c.came_from = request.GET.get('came_from') | |
58 |
|
57 | |||
59 | if self.rhodecode_user.is_authenticated \ |
|
58 | if self.rhodecode_user.is_authenticated \ | |
60 | and self.rhodecode_user.username != 'default': |
|
59 | and self.rhodecode_user.username != 'default': | |
@@ -97,20 +96,20 b' class LoginController(BaseController):' | |||||
97 | # send set-cookie headers back to response to update cookie |
|
96 | # send set-cookie headers back to response to update cookie | |
98 | headers = [('Set-Cookie', session.request['cookie_out'])] |
|
97 | headers = [('Set-Cookie', session.request['cookie_out'])] | |
99 |
|
98 | |||
100 |
allowed_schemes = ['http', 'https' |
|
99 | allowed_schemes = ['http', 'https'] | |
101 | parsed = urlparse.urlparse(c.came_from) |
|
|||
102 | server_parsed = urlparse.urlparse(url.current()) |
|
|||
103 |
|
||||
104 | if parsed.scheme and parsed.scheme not in allowed_schemes: |
|
|||
105 | log.error('Suspicious URL scheme detected %s for url %s' % |
|
|||
106 | (parsed.scheme, parsed)) |
|
|||
107 | c.came_from = url('home') |
|
|||
108 | elif server_parsed.netloc != parsed.netloc: |
|
|||
109 | log.error('Suspicious NETLOC detected %s for url %s' |
|
|||
110 | 'server url is: %s' % |
|
|||
111 | (parsed.netloc, parsed, server_parsed)) |
|
|||
112 | c.came_from = url('home') |
|
|||
113 | if c.came_from: |
|
100 | if c.came_from: | |
|
101 | parsed = urlparse.urlparse(c.came_from) | |||
|
102 | server_parsed = urlparse.urlparse(url.current()) | |||
|
103 | if parsed.scheme and parsed.scheme not in allowed_schemes: | |||
|
104 | log.error( | |||
|
105 | 'Suspicious URL scheme detected %s for url %s' % | |||
|
106 | (parsed.scheme, parsed)) | |||
|
107 | c.came_from = url('home') | |||
|
108 | elif server_parsed.netloc != parsed.netloc: | |||
|
109 | log.error('Suspicious NETLOC detected %s for url %s' | |||
|
110 | 'server url is: %s' % | |||
|
111 | (parsed.netloc, parsed, server_parsed)) | |||
|
112 | c.came_from = url('home') | |||
114 | raise HTTPFound(location=c.came_from, headers=headers) |
|
113 | raise HTTPFound(location=c.came_from, headers=headers) | |
115 | else: |
|
114 | else: | |
116 | raise HTTPFound(location=url('home'), headers=headers) |
|
115 | raise HTTPFound(location=url('home'), headers=headers) |
@@ -55,6 +55,25 b' class TestLoginController(TestController' | |||||
55 | self.assertEqual(response.status, '200 OK') |
|
55 | self.assertEqual(response.status, '200 OK') | |
56 | self.assertTrue('Users administration' in response.body) |
|
56 | self.assertTrue('Users administration' in response.body) | |
57 |
|
57 | |||
|
58 | @parameterized.expand([ | |||
|
59 | ('data:text/html,<script>window.alert("xss")</script>',), | |||
|
60 | ('mailto:test@rhodecode.org',), | |||
|
61 | ('file:///etc/passwd',), | |||
|
62 | ('ftp://some.ftp.server',), | |||
|
63 | ('http://other.domain',), | |||
|
64 | ]) | |||
|
65 | def test_login_bad_came_froms(self, url_came_from): | |||
|
66 | response = self.app.post(url(controller='login', action='index', | |||
|
67 | came_from=url_came_from), | |||
|
68 | {'username': 'test_admin', | |||
|
69 | 'password': 'test12'}) | |||
|
70 | self.assertEqual(response.status, '302 Found') | |||
|
71 | self.assertEqual(response._environ['paste.testing_variables'] | |||
|
72 | ['tmpl_context'].came_from, '/') | |||
|
73 | response = response.follow() | |||
|
74 | ||||
|
75 | self.assertEqual(response.status, '200 OK') | |||
|
76 | ||||
58 | def test_login_short_password(self): |
|
77 | def test_login_short_password(self): | |
59 | response = self.app.post(url(controller='login', action='index'), |
|
78 | response = self.app.post(url(controller='login', action='index'), | |
60 | {'username': 'test_admin', |
|
79 | {'username': 'test_admin', |
General Comments 0
You need to be logged in to leave comments.
Login now