Mercurial > kallithea

changeset 5509:ad131f703996 stable

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
login: make it clear that an invalid came_from is an invalid request
author Mads Kiilerich <madski@unity3d.com>
date Sun, 20 Sep 2015 22:22:50 +0200
parents b98f4431671c
children a0a9ae753cc4
files kallithea/controllers/login.py
diffstat 1 files changed, 4 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/controllers/login.py	Sun Sep 20 22:22:50 2015 +0200
+++ b/kallithea/controllers/login.py	Sun Sep 20 22:22:50 2015 +0200
@@ -76,7 +76,10 @@
 
     def index(self):
         c.came_from = safe_str(request.GET.pop('came_from', ''))
-        if self._validate_came_from(c.came_from):
+        if c.came_from:
+            if not self._validate_came_from(c.came_from):
+                log.error('Invalid came_from (not server-relative): %r', c.came_from)
+                raise HTTPBadRequest()
             came_from = url(c.came_from, **request.GET)
         else:
             c.came_from = came_from = url('home')