Mercurial > kallithea
comparison rhodecode/controllers/login.py @ 2678:04d2bcfbe7a6 beta
security fix, inspired by django security
announcement: https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/
- filter out bad schemes and netloc differences
author | Marcin Kuzminski <marcin@python-works.com> |
---|---|
date | Tue, 31 Jul 2012 00:27:22 +0200 |
parents | 44678a64cfae |
children | dffb92224edf |
comparison
equal
deleted
inserted
replaced
2677:4fbbc65e8cd5 | 2678:04d2bcfbe7a6 |
---|---|
24 # along with this program. If not, see <http://www.gnu.org/licenses/>. | 24 # along with this program. If not, see <http://www.gnu.org/licenses/>. |
25 | 25 |
26 import logging | 26 import logging |
27 import formencode | 27 import formencode |
28 import datetime | 28 import datetime |
29 import urlparse | |
29 | 30 |
30 from formencode import htmlfill | 31 from formencode import htmlfill |
31 from webob.exc import HTTPFound | 32 from webob.exc import HTTPFound |
32 from pylons.i18n.translation import _ | 33 from pylons.i18n.translation import _ |
33 from pylons.controllers.util import abort, redirect | 34 from pylons.controllers.util import abort, redirect |
94 headers = None | 95 headers = None |
95 if session.request['set_cookie']: | 96 if session.request['set_cookie']: |
96 # send set-cookie headers back to response to update cookie | 97 # send set-cookie headers back to response to update cookie |
97 headers = [('Set-Cookie', session.request['cookie_out'])] | 98 headers = [('Set-Cookie', session.request['cookie_out'])] |
98 | 99 |
100 allowed_schemes = ['http', 'https', 'ftp'] | |
101 parsed = urlparse.urlparse(c.came_from) | |
102 server_parsed = urlparse.urlparse(url.current()) | |
103 | |
104 if parsed.scheme and parsed.scheme not in allowed_schemes: | |
105 log.error('Suspicious URL scheme detected %s for url %s' % | |
106 (parsed.scheme, parsed)) | |
107 c.came_from = url('home') | |
108 elif server_parsed.netloc != parsed.netloc: | |
109 log.error('Suspicious NETLOC detected %s for url %s' | |
110 'server url is: %s' % | |
111 (parsed.netloc, parsed, server_parsed)) | |
112 c.came_from = url('home') | |
99 if c.came_from: | 113 if c.came_from: |
100 raise HTTPFound(location=c.came_from, headers=headers) | 114 raise HTTPFound(location=c.came_from, headers=headers) |
101 else: | 115 else: |
102 raise HTTPFound(location=url('home'), headers=headers) | 116 raise HTTPFound(location=url('home'), headers=headers) |
103 | 117 |