Fixed a referer leak

2026-05-06 15:24:02 +00:00 · 2016-09-14 10:34:20 +02:00
parent 5c791e7fab
commit f128a5f559
5 changed files with 35 additions and 2 deletions
--- a/src/pretix/base/templatetags/safelink.py
+++ b/src/pretix/base/templatetags/safelink.py
@@ -0,0 +1,10 @@
+from django import template
+
+from ..views.redirect import safelink as sl
+
+register = template.Library()
+
+
+@register.simple_tag
+def safelink(url):
+    return sl(url)
--- a/src/pretix/base/views/redirect.py
+++ b/src/pretix/base/views/redirect.py
@@ -0,0 +1,19 @@
+import urllib.parse
+
+from django.core import signing
+from django.core.urlresolvers import reverse
+from django.http import HttpResponseBadRequest, HttpResponseRedirect
+
+
+def redir_view(request):
+    signer = signing.Signer(salt='safe-redirect')
+    try:
+        url = signer.unsign(request.GET.get('url', ''))
+    except signing.BadSignature:
+        return HttpResponseBadRequest('Invalid parameter')
+    return HttpResponseRedirect(url)
+
+
+def safelink(url):
+    signer = signing.Signer(salt='safe-redirect')
+    return reverse('redirect') + '?url=' + urllib.parse.quote(signer.sign(url))
--- a/src/pretix/presale/templates/pretixpresale/base.html
+++ b/src/pretix/presale/templates/pretixpresale/base.html
@@ -27,6 +27,7 @@
    {% endcompress %}
    {{ html_head|safe }}
    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <meta name="referrer" content="origin">
    <link rel="icon" href="{% static "pretixbase/img/favicon.ico" %}">
 </head>
 <body data-locale="{{ request.LANGUAGE_CODE }}">
--- a/src/pretix/presale/templates/pretixpresale/base_footer.html
+++ b/src/pretix/presale/templates/pretixpresale/base_footer.html
@@ -1,5 +1,7 @@
 {% load i18n %}
-{% with "href='http://pretix.eu'" as a_attr %}
+{% load safelink %}
+{% safelink "https://pretix.eu" as pretixurl %}
+{% with 'href="'|add:pretixurl|add:'"'|safe as a_attr %}
    {% blocktrans trimmed %}
        powered by <a {{ a_attr }}>pretix</a>
    {% endblocktrans %}
--- a/src/pretix/urls.py
+++ b/src/pretix/urls.py
@@ -8,7 +8,7 @@ from django.views.i18n import javascript_catalog
 import pretix.control.urls
 import pretix.presale.urls

-from .base.views import cachedfiles, health
+from .base.views import cachedfiles, health, redirect

 # This is not a valid Django URL configuration, as the final
 # configuration is done by the pretix.multidomain package.
@@ -25,6 +25,7 @@ base_patterns = [
        name='cachedfile.download'),
    url(r'^healthcheck/$', health.healthcheck,
        name='healthcheck'),
+    url(r'^redirect/$', redirect.redir_view, name='redirect'),
    url(r'^jsi18n/$',
        etag(lambda *s, **k: import_date)(cache_page(3600, key_prefix='js18n-%s' % import_date)(javascript_catalog)),
        js_info_dict, name='javascript-catalog'),