Mercurial > kallithea

comparison rhodecode/controllers/login.py @ 2678:04d2bcfbe7a6 beta

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
security fix, inspired by django security announcement: https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/ - filter out bad schemes and netloc differences
author Marcin Kuzminski <marcin@python-works.com>
date Tue, 31 Jul 2012 00:27:22 +0200
parents 44678a64cfae
children dffb92224edf
comparison
equal deleted inserted replaced
2677:4fbbc65e8cd5 2678:04d2bcfbe7a6
24 # along with this program. If not, see <http://www.gnu.org/licenses/>. 24 # along with this program. If not, see <http://www.gnu.org/licenses/>.
25 25
26 import logging 26 import logging
27 import formencode 27 import formencode
28 import datetime 28 import datetime
29 import urlparse
29 30
30 from formencode import htmlfill 31 from formencode import htmlfill
31 from webob.exc import HTTPFound 32 from webob.exc import HTTPFound
32 from pylons.i18n.translation import _ 33 from pylons.i18n.translation import _
33 from pylons.controllers.util import abort, redirect 34 from pylons.controllers.util import abort, redirect
94 headers = None 95 headers = None
95 if session.request['set_cookie']: 96 if session.request['set_cookie']:
96 # send set-cookie headers back to response to update cookie 97 # send set-cookie headers back to response to update cookie
97 headers = [('Set-Cookie', session.request['cookie_out'])] 98 headers = [('Set-Cookie', session.request['cookie_out'])]
98 99
100 allowed_schemes = ['http', 'https', 'ftp']
101 parsed = urlparse.urlparse(c.came_from)
102 server_parsed = urlparse.urlparse(url.current())
103
104 if parsed.scheme and parsed.scheme not in allowed_schemes:
105 log.error('Suspicious URL scheme detected %s for url %s' %
106 (parsed.scheme, parsed))
107 c.came_from = url('home')
108 elif server_parsed.netloc != parsed.netloc:
109 log.error('Suspicious NETLOC detected %s for url %s'
110 'server url is: %s' %
111 (parsed.netloc, parsed, server_parsed))
112 c.came_from = url('home')
99 if c.came_from: 113 if c.came_from:
100 raise HTTPFound(location=c.came_from, headers=headers) 114 raise HTTPFound(location=c.came_from, headers=headers)
101 else: 115 else:
102 raise HTTPFound(location=url('home'), headers=headers) 116 raise HTTPFound(location=url('home'), headers=headers)
103 117