CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

Allow multiple returnurl prefixes (Z#23145768) (#3941)

Browse Source 
* Allow multiple returnurl prefixes, improve validation and docs.

* Fix typo

* Allow URL prefixes starting with http://localhost

* Add more explanation
This commit is contained in:
Mira
2024-03-01 09:56:22 +01:00
committed by GitHub
parent 56bbcb65c3
commit 4876a0b61f
3 changed files with 17 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/pretix/plugins/returnurl/signals.py
View File

@@ -71,11 +71,15 @@ def returnurl_process_request(sender, request, **kwargs):
u = request.GET.get('return_url')
if not sender.settings.returnurl_prefix:
raise PermissionDenied('No return URL prefix set.')
elif not u.startswith(sender.settings.returnurl_prefix):
elif not check_against_prefix_list(u, sender.settings.returnurl_prefix):
raise PermissionDenied('Invalid return URL.')
request.session[key] = u
def check_against_prefix_list(u, allowlist):
return any(u.startswith(allow.strip()) for allow in allowlist.split("\n") if allow.strip() != "")
@receiver(nav_event_settings, dispatch_uid='returnurl_nav')
def navbar_info(sender, request, **kwargs):
url = resolve(request.path_info)

12
src/pretix/plugins/returnurl/views.py
View File

@@ -19,6 +19,8 @@
# You should have received a copy of the GNU Affero General Public License along with this program. If not, see
# <https://www.gnu.org/licenses/>.
#
import re
from django import forms
from django.urls import reverse
from django.utils.translation import gettext_lazy as _
@@ -31,10 +33,14 @@ from pretix.control.views.event import (
class ReturnSettingsForm(SettingsForm):
returnurl_prefix = forms.URLField(
label=_("Base redirection URL"),
help_text=_("Redirection will only be allowed to URLs that start with this prefix."),
returnurl_prefix = forms.RegexField(
label=_("Base redirection URLs"),
help_text=_("Redirection will only be allowed to URLs that start with one of these prefixes. "
"Enter one or more allowed URL prefix per line. "
"URL prefixes must include a slash after the hostname."),
required=False,
widget=forms.Textarea,
regex=re.compile(r'^((https://.*/.*|http://localhost[:/].*)\n*)*$')
)