From 2d8cb29853190d42572b36deb61127e68d6be574 Mon Sep 17 00:00:00 2001 From: Uzay-G Date: Thu, 24 Feb 2022 21:32:40 +0100 Subject: [PATCH] fix open redirect --- archivy/helpers.py | 12 +++++++++++- archivy/routes.py | 7 +++++-- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/archivy/helpers.py b/archivy/helpers.py index df6d63c8..1eddbdd0 100644 --- a/archivy/helpers.py +++ b/archivy/helpers.py @@ -5,8 +5,9 @@ import elasticsearch import yaml from elasticsearch import Elasticsearch -from flask import current_app, g +from flask import current_app, g, request from tinydb import TinyDB, Query, operations +from urllib.parse import urlparse, urljoin from archivy.config import BaseHooks, Config @@ -230,3 +231,12 @@ def create_plugin_dir(name): return True except FileExistsError: return False + + +def is_safe_redirect_url(target): + host_url = urlparse(request.host_url) + redirect_url = urlparse(urljoin(request.host_url, target)) + return ( + redirect_url.scheme in ("http", "https") + and host_url.netloc == redirect_url.netloc + ) diff --git a/archivy/routes.py b/archivy/routes.py index f96ff519..173e2b12 100644 --- a/archivy/routes.py +++ b/archivy/routes.py @@ -19,7 +19,7 @@ from archivy.models import DataObj, User from archivy import data, app, forms, csrf -from archivy.helpers import get_db, write_config +from archivy.helpers import get_db, write_config, is_safe_redirect_url from archivy.tags import get_all_tags from archivy.search import search, search_frontmatter_tags from archivy.config import Config @@ -264,7 +264,10 @@ def login(): flash("Login successful!", "success") next_url = request.args.get("next") - return redirect(next_url or "/") + if next_url and is_safe_redirect_url(next_url): + return redirect(next_url) + else: + return redirect("/") flash("Invalid credentials", "error") return redirect("/login")