CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-09 15:54:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix Open Redirect issue in /locale/set (#223)

Browse Source 
Thanks to David Gullasch for finding this one.
This commit is contained in:
Tobias Kunze
2016-08-29 19:21:48 +02:00
committed by Raphael Michel
parent 3458d64850
commit 00e9e52072
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/pretix/presale/views/locale.py
View File

@@ -2,14 +2,18 @@ from datetime import datetime, timedelta
from django.conf import settings from django.conf import settings
from django.shortcuts import redirect from django.shortcuts import redirect
from django.utils.http import is_safe_url
from django.views.generic import View from django.views.generic import View
class LocaleSet(View): class LocaleSet(View):
def get(self, request, *args, **kwargs): def get(self, request, *args, **kwargs):
url = request.GET.get('next', request.META.get('HTTP_REFERER', '/'))
url = url if is_safe_url(url, host=request.get_host()) else '/'
resp = redirect(url)
locale = request.GET.get('locale') locale = request.GET.get('locale')
resp = redirect(request.GET.get('next', request.META.get('HTTP_REFERER', '/')))
if locale in [lc for lc, ll in settings.LANGUAGES]: if locale in [lc for lc, ll in settings.LANGUAGES]:
if request.user.is_authenticated(): if request.user.is_authenticated():
request.user.locale = locale request.user.locale = locale
@@ -20,4 +24,5 @@ class LocaleSet(View):
expires=(datetime.utcnow() + timedelta(seconds=max_age)).strftime( expires=(datetime.utcnow() + timedelta(seconds=max_age)).strftime(
'%a, %d-%b-%Y %H:%M:%S GMT'), '%a, %d-%b-%Y %H:%M:%S GMT'),
domain=settings.SESSION_COOKIE_DOMAIN) domain=settings.SESSION_COOKIE_DOMAIN)
return resp return resp