You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2018/03/06 16:47:29 UTC
allura git commit: [#8190] improve return_to checking

Repository: allura
Updated Branches:
  refs/heads/master 880090cf2 -> 06bbb5a98


[#8190] improve return_to checking


Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/06bbb5a9
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/06bbb5a9
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/06bbb5a9

Branch: refs/heads/master
Commit: 06bbb5a98b5b5af78736550dcf928ab1d36bef6d
Parents: 880090c
Author: Dave Brondsema <da...@brondsema.net>
Authored: Tue Feb 27 17:32:22 2018 -0500
Committer: Dave Brondsema <da...@brondsema.net>
Committed: Fri Mar 2 11:15:27 2018 -0500

----------------------------------------------------------------------
 Allura/allura/controllers/auth.py           |  2 +-
 Allura/allura/tests/functional/test_auth.py | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/allura/blob/06bbb5a9/Allura/allura/controllers/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index 12523cc..7dc1532 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -310,7 +310,7 @@ class AuthController(BaseController):
     @staticmethod
     def _verify_return_to(return_to):
         # protect against any "open redirect" attacks using an external URL
-        if not return_to:
+        if not return_to or '\n' in return_to:
             return_to = '/'
         rt_host = urlparse(urljoin(config['base_url'], return_to)).netloc
         base_host = urlparse(config['base_url']).netloc

http://git-wip-us.apache.org/repos/asf/allura/blob/06bbb5a9/Allura/allura/tests/functional/test_auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
index 59c9428..07db7da 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -946,6 +946,18 @@ class TestAuth(TestController):
             _session_id=self.app.cookies['_session_id']))
         assert_equal(r.location, 'http://localhost/')
 
+    def test_no_injected_headers_in_return_to(self):
+        r = self.app.get('/auth/logout').follow()
+        r = self.app.post('/auth/do_login', params=dict(
+            username='test-user', password='foo',
+            return_to='/foo\nContent-Length: 777',
+            # WebTest actually will raise an error if there's an invalid header (webob itself does not)
+            _session_id=self.app.cookies['_session_id']),
+            antispam=True
+        )
+        assert_equal(r.location, 'http://localhost/')
+        assert_not_equal(r.content_length, 777)
+
 
 class TestPreferences(TestController):
     @td.with_user_project('test-admin')