CGM_Public/pretix_cgo
1
0
Fork 0
forked from CGM_Public/pretix_original
Code Pull Requests Actions Activity

Fixed a referer leak

Browse Source
This commit is contained in:
Raphael Michel
2016-09-14 10:34:20 +02:00
parent 5c791e7fab
commit f128a5f559
5 changed files with 35 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/pretix/base/templatetags/safelink.py Normal file
View File

@@ -0,0 +1,10 @@
from django import template
from ..views.redirect import safelink as sl
register = template.Library()
@register.simple_tag
def safelink(url):
return sl(url)

19
src/pretix/base/views/redirect.py Normal file
View File

@@ -0,0 +1,19 @@
import urllib.parse
from django.core import signing
from django.core.urlresolvers import reverse
from django.http import HttpResponseBadRequest, HttpResponseRedirect
def redir_view(request):
signer = signing.Signer(salt='safe-redirect')
try:
url = signer.unsign(request.GET.get('url', ''))
except signing.BadSignature:
return HttpResponseBadRequest('Invalid parameter')
return HttpResponseRedirect(url)
def safelink(url):
signer = signing.Signer(salt='safe-redirect')
return reverse('redirect') + '?url=' + urllib.parse.quote(signer.sign(url))

1
src/pretix/presale/templates/pretixpresale/base.html
View File

@@ -27,6 +27,7 @@
{% endcompress %} {% endcompress %}
{{ html_head|safe }} {{ html_head|safe }}
<meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="referrer" content="origin">
<link rel="icon" href="{% static "pretixbase/img/favicon.ico" %}"> <link rel="icon" href="{% static "pretixbase/img/favicon.ico" %}">
</head> </head>
<body data-locale="{{ request.LANGUAGE_CODE }}"> <body data-locale="{{ request.LANGUAGE_CODE }}">

4
src/pretix/presale/templates/pretixpresale/base_footer.html
View File

@@ -1,5 +1,7 @@
{% load i18n %} {% load i18n %}
{% with "href='http://pretix.eu'" as a_attr %} {% load safelink %}
{% safelink "https://pretix.eu" as pretixurl %}
{% with 'href="'|add:pretixurl|add:'"'|safe as a_attr %}
{% blocktrans trimmed %} {% blocktrans trimmed %}
powered by <a {{ a_attr }}>pretix</a> powered by <a {{ a_attr }}>pretix</a>
{% endblocktrans %} {% endblocktrans %}

3
src/pretix/urls.py
View File

@@ -8,7 +8,7 @@ from django.views.i18n import javascript_catalog
import pretix.control.urls import pretix.control.urls
import pretix.presale.urls import pretix.presale.urls
from .base.views import cachedfiles, health from .base.views import cachedfiles, health, redirect
# This is not a valid Django URL configuration, as the final # This is not a valid Django URL configuration, as the final
# configuration is done by the pretix.multidomain package. # configuration is done by the pretix.multidomain package.
@@ -25,6 +25,7 @@ base_patterns = [
name='cachedfile.download'), name='cachedfile.download'),
url(r'^healthcheck/$', health.healthcheck, url(r'^healthcheck/$', health.healthcheck,
name='healthcheck'), name='healthcheck'),
url(r'^redirect/$', redirect.redir_view, name='redirect'),
url(r'^jsi18n/$', url(r'^jsi18n/$',
etag(lambda *s, **k: import_date)(cache_page(3600, key_prefix='js18n-%s' % import_date)(javascript_catalog)), etag(lambda *s, **k: import_date)(cache_page(3600, key_prefix='js18n-%s' % import_date)(javascript_catalog)),
js_info_dict, name='javascript-catalog'), js_info_dict, name='javascript-catalog'),