Mercurial > kallithea

changeset 2678:04d2bcfbe7a6 beta

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
security fix, inspired by django security announcement: https://www.djangoproject.com/weblog/2012/jul/30/security-releases-issued/ - filter out bad schemes and netloc differences
author Marcin Kuzminski <marcin@python-works.com>
date Tue, 31 Jul 2012 00:27:22 +0200
parents 4fbbc65e8cd5
children dffb92224edf f4b20558ae16
files rhodecode/controllers/login.py
diffstat 1 files changed, 14 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/rhodecode/controllers/login.py	Mon Jul 30 23:29:03 2012 +0200
+++ b/rhodecode/controllers/login.py	Tue Jul 31 00:27:22 2012 +0200
@@ -26,6 +26,7 @@
 import logging
 import formencode
 import datetime
+import urlparse
 
 from formencode import htmlfill
 from webob.exc import HTTPFound
@@ -96,6 +97,19 @@
                     # send set-cookie headers back to response to update cookie
                     headers = [('Set-Cookie', session.request['cookie_out'])]
 
+                allowed_schemes = ['http', 'https', 'ftp']
+                parsed = urlparse.urlparse(c.came_from)
+                server_parsed = urlparse.urlparse(url.current())
+
+                if parsed.scheme and parsed.scheme not in allowed_schemes:
+                    log.error('Suspicious URL scheme detected %s for url %s' %
+                              (parsed.scheme, parsed))
+                    c.came_from = url('home')
+                elif server_parsed.netloc != parsed.netloc:
+                    log.error('Suspicious NETLOC detected %s for url %s'
+                              'server url is: %s' %
+                              (parsed.netloc, parsed, server_parsed))
+                    c.came_from = url('home')
                 if c.came_from:
                     raise HTTPFound(location=c.came_from, headers=headers)
                 else: