Repository: allura Updated Branches: refs/heads/master 880090cf2 -> 06bbb5a98
[#8190] improve return_to checking Project: http://git-wip-us.apache.org/repos/asf/allura/repo Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/06bbb5a9 Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/06bbb5a9 Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/06bbb5a9 Branch: refs/heads/master Commit: 06bbb5a98b5b5af78736550dcf928ab1d36bef6d Parents: 880090c Author: Dave Brondsema <d...@brondsema.net> Authored: Tue Feb 27 17:32:22 2018 -0500 Committer: Dave Brondsema <d...@brondsema.net> Committed: Fri Mar 2 11:15:27 2018 -0500 ---------------------------------------------------------------------- Allura/allura/controllers/auth.py | 2 +- Allura/allura/tests/functional/test_auth.py | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/allura/blob/06bbb5a9/Allura/allura/controllers/auth.py ---------------------------------------------------------------------- diff --git a/Allura/allura/controllers/auth.py b/Allura/allura/controllers/auth.py index 12523cc..7dc1532 100644 --- a/Allura/allura/controllers/auth.py +++ b/Allura/allura/controllers/auth.py @@ -310,7 +310,7 @@ class AuthController(BaseController): @staticmethod def _verify_return_to(return_to): # protect against any "open redirect" attacks using an external URL - if not return_to: + if not return_to or '\n' in return_to: return_to = '/' rt_host = urlparse(urljoin(config['base_url'], return_to)).netloc base_host = urlparse(config['base_url']).netloc http://git-wip-us.apache.org/repos/asf/allura/blob/06bbb5a9/Allura/allura/tests/functional/test_auth.py ---------------------------------------------------------------------- diff --git a/Allura/allura/tests/functional/test_auth.py b/Allura/allura/tests/functional/test_auth.py index 59c9428..07db7da 100644 --- a/Allura/allura/tests/functional/test_auth.py +++ b/Allura/allura/tests/functional/test_auth.py @@ -946,6 +946,18 @@ class TestAuth(TestController): _session_id=self.app.cookies['_session_id'])) assert_equal(r.location, 'http://localhost/') + def test_no_injected_headers_in_return_to(self): + r = self.app.get('/auth/logout').follow() + r = self.app.post('/auth/do_login', params=dict( + username='test-user', password='foo', + return_to='/foo\nContent-Length: 777', + # WebTest actually will raise an error if there's an invalid header (webob itself does not) + _session_id=self.app.cookies['_session_id']), + antispam=True + ) + assert_equal(r.location, 'http://localhost/') + assert_not_equal(r.content_length, 777) + class TestPreferences(TestController): @td.with_user_project('test-admin')