# HG changeset patch # User Mads Kiilerich # Date 1433883061 -7200 # Node ID f47d6187095f16acb94caadfb8e4a7b7fac3fe49 # Parent c417ef1f43b16b980069b322b659b5a5e979536b login: refactor came_from and _validate_came_from handling diff -r c417ef1f43b1 -r f47d6187095f kallithea/controllers/login.py --- a/kallithea/controllers/login.py Tue Jun 09 22:50:20 2015 +0200 +++ b/kallithea/controllers/login.py Tue Jun 09 22:51:01 2015 +0200 @@ -87,8 +87,9 @@ return headers def _validate_came_from(self, came_from): + """Return True if came_from is valid and can and should be used""" if not came_from: - return came_from + return False parsed = urlparse.urlparse(came_from) server_parsed = urlparse.urlparse(url.current()) @@ -96,12 +97,12 @@ if parsed.scheme and parsed.scheme not in allowed_schemes: log.error('Suspicious URL scheme detected %s for url %s' % (parsed.scheme, parsed)) - came_from = url('home') - elif server_parsed.netloc != parsed.netloc: + return False + if server_parsed.netloc != parsed.netloc: log.error('Suspicious NETLOC detected %s for url %s server url ' 'is: %s' % (parsed.netloc, parsed, server_parsed)) - came_from = url('home') - return came_from + return False + return True def _redirect_to_origin(self, origin, headers=None): '''redirect to the original page, preserving any get arguments given''' @@ -109,9 +110,9 @@ raise HTTPFound(location=url(origin, **request.GET), headers=headers) def index(self): - _default_came_from = url('home') - came_from = self._validate_came_from(safe_str(request.GET.get('came_from', ''))) - c.came_from = came_from or _default_came_from + c.came_from = safe_str(request.GET.get('came_from', '')) + if not self._validate_came_from(c.came_from): + c.came_from = url('home') not_default = self.authuser.username != User.DEFAULT_USER ip_allowed = self.authuser.ip_allowed