CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-16 17:03:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

[SECURITY] Fix unvalidated redirect

Browse Source
This commit is contained in:
Raphael Michel
2020-12-18 18:29:36 +01:00
parent d7a12cc1ee
commit a0631ffba5
2 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/pretix/control/views/auth.py
View File

@@ -74,7 +74,9 @@ def login(request):
backend = [b for b in backends if b.visible][0] backend = [b for b in backends if b.visible][0]
if request.user.is_authenticated: if request.user.is_authenticated:
next_url = backend.get_next_url(request) or 'control:index' next_url = backend.get_next_url(request) or 'control:index'
return redirect(next_url) if next_url and url_has_allowed_host_and_scheme(next_url, allowed_hosts=None):
return redirect(next_url)
return redirect(reverse('control:index'))
if request.method == 'POST': if request.method == 'POST':
form = LoginForm(backend=backend, data=request.POST) form = LoginForm(backend=backend, data=request.POST)
if form.is_valid() and form.user_cache and form.user_cache.auth_backend == backend.identifier: if form.is_valid() and form.user_cache and form.user_cache.auth_backend == backend.identifier:

4
src/tests/control/test_auth.py
View File

@@ -90,6 +90,10 @@ class LoginFormTest(TestCase):
self.assertEqual(response.status_code, 302) self.assertEqual(response.status_code, 302)
self.assertIn('/control/events/', response['Location']) self.assertIn('/control/events/', response['Location'])
response = self.client.get('/control/login?next=//evilsite.com')
self.assertEqual(response.status_code, 302)
self.assertIn('/control/', response['Location'])
def test_logout(self): def test_logout(self):
response = self.client.post('/control/login', { response = self.client.post('/control/login', {
'email': 'dummy@dummy.dummy', 'email': 'dummy@dummy.dummy',