You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2018/03/06 16:47:29 UTC
allura git commit: [#8190] improve return_to checking
Repository: allura
Updated Branches:
refs/heads/master 880090cf2 -> 06bbb5a98
[#8190] improve return_to checking
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/06bbb5a9
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/06bbb5a9
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/06bbb5a9
Branch: refs/heads/master
Commit: 06bbb5a98b5b5af78736550dcf928ab1d36bef6d
Parents: 880090c
Author: Dave Brondsema <da...@brondsema.net>
Authored: Tue Feb 27 17:32:22 2018 -0500
Committer: Dave Brondsema <da...@brondsema.net>
Committed: Fri Mar 2 11:15:27 2018 -0500
----------------------------------------------------------------------
Allura/allura/controllers/auth.py | 2 +-
Allura/allura/tests/functional/test_auth.py | 12 ++++++++++++
2 files changed, 13 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/06bbb5a9/Allura/allura/controllers/auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py
index 12523cc..7dc1532 100644
--- a/Allura/allura/controllers/auth.py
+++ b/Allura/allura/controllers/auth.py
@@ -310,7 +310,7 @@ class AuthController(BaseController):
@staticmethod
def _verify_return_to(return_to):
# protect against any "open redirect" attacks using an external URL
- if not return_to:
+ if not return_to or '\n' in return_to:
return_to = '/'
rt_host = urlparse(urljoin(config['base_url'], return_to)).netloc
base_host = urlparse(config['base_url']).netloc
http://git-wip-us.apache.org/repos/asf/allura/blob/06bbb5a9/Allura/allura/tests/functional/test_auth.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py
index 59c9428..07db7da 100644
--- a/Allura/allura/tests/functional/test_auth.py
+++ b/Allura/allura/tests/functional/test_auth.py
@@ -946,6 +946,18 @@ class TestAuth(TestController):
_session_id=self.app.cookies['_session_id']))
assert_equal(r.location, 'http://localhost/')
+ def test_no_injected_headers_in_return_to(self):
+ r = self.app.get('/auth/logout').follow()
+ r = self.app.post('/auth/do_login', params=dict(
+ username='test-user', password='foo',
+ return_to='/foo\nContent-Length: 777',
+ # WebTest actually will raise an error if there's an invalid header (webob itself does not)
+ _session_id=self.app.cookies['_session_id']),
+ antispam=True
+ )
+ assert_equal(r.location, 'http://localhost/')
+ assert_not_equal(r.content_length, 777)
+
class TestPreferences(TestController):
@td.with_user_project('test-admin')