Skip to content

Commit

Permalink
login: refactor came_from and _validate_came_from handling
Browse files Browse the repository at this point in the history
  • Loading branch information
madski-unity committed Jun 9, 2015
1 parent 5a1e990 commit 511af27
Showing 1 changed file with 9 additions and 8 deletions.
17 changes: 9 additions & 8 deletions kallithea/controllers/login.py
Original file line number Diff line number Diff line change
Expand Up @@ -87,31 +87,32 @@ def _store_user_in_session(self, username, remember=False):
return headers

def _validate_came_from(self, came_from):
"""Return True if came_from is valid and can and should be used"""
if not came_from:
return came_from
return False

parsed = urlparse.urlparse(came_from)
server_parsed = urlparse.urlparse(url.current())
allowed_schemes = ['http', 'https']
if parsed.scheme and parsed.scheme not in allowed_schemes:
log.error('Suspicious URL scheme detected %s for url %s' %
(parsed.scheme, parsed))
came_from = url('home')
elif server_parsed.netloc != parsed.netloc:
return False
if server_parsed.netloc != parsed.netloc:
log.error('Suspicious NETLOC detected %s for url %s server url '
'is: %s' % (parsed.netloc, parsed, server_parsed))
came_from = url('home')
return came_from
return False
return True

def _redirect_to_origin(self, origin, headers=None):
'''redirect to the original page, preserving any get arguments given'''
request.GET.pop('came_from', None)
raise HTTPFound(location=url(origin, **request.GET), headers=headers)

def index(self):
_default_came_from = url('home')
came_from = self._validate_came_from(safe_str(request.GET.get('came_from', '')))
c.came_from = came_from or _default_came_from
c.came_from = safe_str(request.GET.get('came_from', ''))
if not self._validate_came_from(c.came_from):
c.came_from = url('home')

not_default = self.authuser.username != User.DEFAULT_USER
ip_allowed = self.authuser.ip_allowed
Expand Down

0 comments on commit 511af27

Please sign in to comment.