Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix open redirect vulnerability #239

Merged
merged 1 commit into from Jun 23, 2022

Conversation

amarsahinovic
Copy link
Contributor

We've recently discovered that returnTo parameter can cause redirects outside of the application if the URL is in the form of ///attacker.com. To prevent that, I've updated the existing check for safe URLs to use a builtin helper provided by Django which handles this (and more cases).

@codecov
Copy link

codecov bot commented Jun 23, 2022

Codecov Report

Merging #239 (d7ec078) into main (0a61134) will decrease coverage by 0.44%.
The diff coverage is 88.23%.

@@            Coverage Diff             @@
##             main     #239      +/-   ##
==========================================
- Coverage   96.39%   95.95%   -0.45%     
==========================================
  Files          12       12              
  Lines         361      371      +10     
  Branches       50       51       +1     
==========================================
+ Hits          348      356       +8     
- Misses          7        9       +2     
  Partials        6        6              
Impacted Files Coverage Δ
termsandconditions/views.py 96.49% <88.23%> (-1.59%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0a61134...d7ec078. Read the comment docs.

@cyface cyface merged commit 03396a1 into cyface:main Jun 23, 2022
4 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants