[SECURITY] Make redirect view dependent on referer

2026-05-05 15:14:04 +00:00 · 2022-01-25 13:53:03 +01:00
parent 3596fa9c5a
commit 6f30c347c0
2 changed files with 49 additions and 0 deletions
--- a/src/pretix/base/templates/pretixbase/redirect.html
+++ b/src/pretix/base/templates/pretixbase/redirect.html
@@ -0,0 +1,26 @@
+{% extends "error.html" %}
+{% load i18n %}
+{% load rich_text %}
+{% load static %}
+{% block title %}{% trans "Redirect" %}{% endblock %}
+{% block content %}
+<i class="fa fa-link fa-fw big-icon"></i>
+<div class="error-details">
+    <h1>{% trans "Redirect" %}</h1>
+    <h3>
+        {% blocktrans trimmed with host="<strong>"|add:hostname|add:"</strong>"|safe %}
+        The link you clicked on wants to redirect you to a destination on the website {{ host }}.
+        {% endblocktrans %}
+        {% blocktrans trimmed %}
+        Please only proceed if you trust this website to be safe.
+        {% endblocktrans %}
+    </h3>
+    <p>
+        <a href="{{ url }}" class="btn btn-primary btn-lg">
+            {% blocktrans trimmed with host=hostname %}
+            Proceed to {{ host }}
+            {% endblocktrans %}
+        </a>
+    </p>
+</div>
+{% endblock %}
--- a/src/pretix/base/views/redirect.py
+++ b/src/pretix/base/views/redirect.py
@@ -24,6 +24,21 @@ import urllib.parse
 from django.core import signing
 from django.http import HttpResponseBadRequest, HttpResponseRedirect
 from django.urls import reverse
+from django.shortcuts import render
+
+
+def _is_samesite_referer(request):
+    referer = request.META.get('HTTP_REFERER')
+    if referer is None:
+        return False
+
+    referer = urllib.parse.urlparse(referer)
+
+    # Make sure we have a valid URL for Referer.
+    if '' in (referer.scheme, referer.netloc):
+        return False
+
+    return (referer.scheme, referer.netloc) == (request.scheme, request.get_host())


 def redir_view(request):
@@ -32,6 +47,14 @@ def redir_view(request):
        url = signer.unsign(request.GET.get('url', ''))
    except signing.BadSignature:
        return HttpResponseBadRequest('Invalid parameter')
+
+    if not _is_samesite_referer(request):
+        u = urllib.parse.urlparse(url)
+        return render(request, 'pretixbase/redirect.html', {
+            'hostname': u.hostname,
+            'url': url,
+        })
+
    r = HttpResponseRedirect(url)
    r['X-Robots-Tag'] = 'noindex'
    return r