CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

OIDC RP: Use a separator value in state that is less likely to get lost in transit

Browse Source
This commit is contained in:
Raphael Michel
2022-10-07 09:42:25 +02:00
parent edbd24e942
commit 0a95f90012
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/pretix/presale/views/customer.py
View File

@@ -20,6 +20,7 @@
# <https://www.gnu.org/licenses/>. # <https://www.gnu.org/licenses/>.
# #
import hashlib import hashlib
import re
from importlib import import_module from importlib import import_module
from urllib.parse import ( from urllib.parse import (
parse_qs, quote, urlencode, urljoin, urlparse, urlsplit, urlunparse, parse_qs, quote, urlencode, urljoin, urlparse, urlsplit, urlunparse,
@@ -619,7 +620,7 @@ class SSOLoginView(RedirectBackMixin, View):
}) })
if self.provider.method == "oidc": if self.provider.method == "oidc":
return redirect(oidc_authorize_url(self.provider, f'{nonce}#{next_url}', redirect_uri)) return redirect(oidc_authorize_url(self.provider, f'{nonce}§{next_url}', redirect_uri))
else: else:
raise Http404("Unknown SSO method.") raise Http404("Unknown SSO method.")
@@ -678,7 +679,7 @@ class SSOLoginReturnView(RedirectBackMixin, View):
popup_origin, popup_origin,
) )
nonce, redirect_to = request.GET['state'].split('#') nonce, redirect_to = re.split("[#§]", request.GET['state']) # Allow # for backwards-compatibility for a while
if nonce != request.session.get(f'pretix_customerauth_{self.provider.pk}_nonce'): if nonce != request.session.get(f'pretix_customerauth_{self.provider.pk}_nonce'):
return self._fail( return self._fail(