Skip to content
This repository

Login page will not redirect to urls that don't start with a / #230

Open
wants to merge 2 commits into from

1 participant

showell-nic
showell-nic

This fixes redirecting off to evil.com in Issue #229.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 2 unique commits by 2 authors.

Oct 07, 2012
Login page will not redirect to urls that don't start with a / 6a9a821
Oct 10, 2012
The redirect on the login page is more restrictive and redirects cann…
…ot leave 4clojure.com
c14c67a
This page is out of date. Refresh to see the latest.
7  src/foreclojure/login.clj
@@ -3,7 +3,7 @@
3 3
             [ring.util.response       :as   response])
4 4
   (:import  [org.jasypt.util.password StrongPasswordEncryptor])
5 5
   (:use     [hiccup.form              :only [form-to label text-field password-field check-box]]
6  
-            [foreclojure.utils        :only [from-mongo flash-error flash-msg form-row assuming send-email login-url]]
  6
+            [foreclojure.utils        :only [from-mongo flash-error flash-msg form-row assuming send-email login-url decode-url]]
7 7
             [foreclojure.template     :only [def-page content-page]]
8 8
             [foreclojure.messages     :only [err-msg]]
9 9
             [compojure.core           :only [defroutes GET POST]]
@@ -33,11 +33,12 @@
33 33
 
34 34
 (def-page my-login-page [location]
35 35
   (do
36  
-    (if location (session/put! :login-to location))
  36
+    (let [sanitized-location (sanitize-url location)] 
  37
+      (if sanitized-location  (session/put! :login-to sanitized-location))) 
37 38
     {:title "4clojure - login"
38 39
      :content
39 40
      (content-page
40  
-      {:main login-box})}))
  41
+       {:main login-box})}))
41 42
 
42 43
 (defn do-login [user pwd]
43 44
   (let [user (.toLowerCase user)
19  src/foreclojure/utils.clj
@@ -7,7 +7,7 @@
7 7
             [clojure.string           :as   string]
8 8
             [foreclojure.git          :as   git]
9 9
             [hiccup.page              :as   hiccup])
10  
-  (:import  [java.net                 URLEncoder]
  10
+  (:import  [java.net                 URLEncoder URLDecoder]
11 11
             (org.apache.commons.lang  StringEscapeUtils)
12 12
             (org.apache.commons.mail  HtmlEmail))
13 13
   (:use     [hiccup.core              :only [html]]
@@ -16,7 +16,7 @@
16 16
             [hiccup.form              :only [label]]
17 17
             [useful.fn                :only [to-fix]]
18 18
             [somnium.congomongo       :only [fetch-one]]
19  
-            [foreclojure.ring-utils   :only [*url* static-url]]
  19
+            [foreclojure.ring-utils   :only [*url* static-url universal-url]]
20 20
             [foreclojure.config       :only [config repo-url]]))
21 21
 
22 22
 (defn as-int [s]
@@ -84,6 +84,19 @@
84 84
   ([m ks f & args]
85 85
      (maybe-update m ks #(apply f % args))))
86 86
 
  87
+(defn decode-url [url]
  88
+  (URLDecoder/decode url))
  89
+
  90
+(defn encode-url [url]
  91
+  (URLEncoder/encode url))
  92
+
  93
+(defn sanitize-url [url]
  94
+  (if (nil? url)
  95
+    nil
  96
+    (let [decoded-url (decode-url url)]
  97
+    (if (re-matches #"[a-zA-Z0-9/]+" decoded-url)
  98
+      (str (encode-url (universal-url decoded-url)))))))
  99
+
87 100
 (defn login-url
88 101
   ([] (login-url *url*))
89 102
   ([location]
@@ -213,4 +226,4 @@
213 226
 (defn get-theme []
214 227
   (if-user [{:keys [theme]}]
215 228
     (or theme default-theme)
216  
-    default-theme))
  229
+    default-theme))
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.