Mercurial > kallithea
changeset 5177:f47d6187095f
login: refactor came_from and _validate_came_from handling
| author | Mads Kiilerich <madski@unity3d.com> |
|---|---|
| date | Tue, 09 Jun 2015 22:51:01 +0200 |
| parents | c417ef1f43b1 |
| children | 221d6a002601 |
| files | kallithea/controllers/login.py |
| diffstat | 1 files changed, 9 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/controllers/login.py Tue Jun 09 22:50:20 2015 +0200 +++ b/kallithea/controllers/login.py Tue Jun 09 22:51:01 2015 +0200 @@ -87,8 +87,9 @@ return headers def _validate_came_from(self, came_from): + """Return True if came_from is valid and can and should be used""" if not came_from: - return came_from + return False parsed = urlparse.urlparse(came_from) server_parsed = urlparse.urlparse(url.current()) @@ -96,12 +97,12 @@ if parsed.scheme and parsed.scheme not in allowed_schemes: log.error('Suspicious URL scheme detected %s for url %s' % (parsed.scheme, parsed)) - came_from = url('home') - elif server_parsed.netloc != parsed.netloc: + return False + if server_parsed.netloc != parsed.netloc: log.error('Suspicious NETLOC detected %s for url %s server url ' 'is: %s' % (parsed.netloc, parsed, server_parsed)) - came_from = url('home') - return came_from + return False + return True def _redirect_to_origin(self, origin, headers=None): '''redirect to the original page, preserving any get arguments given''' @@ -109,9 +110,9 @@ raise HTTPFound(location=url(origin, **request.GET), headers=headers) def index(self): - _default_came_from = url('home') - came_from = self._validate_came_from(safe_str(request.GET.get('came_from', ''))) - c.came_from = came_from or _default_came_from + c.came_from = safe_str(request.GET.get('came_from', '')) + if not self._validate_came_from(c.came_from): + c.came_from = url('home') not_default = self.authuser.username != User.DEFAULT_USER ip_allowed = self.authuser.ip_allowed