Skip to content
Permalink
Browse files Browse the repository at this point in the history
Disable covert redirects and CSRF token leaking
This disallows the url() function from returning any remote URLs.
This prevents covert redirects, and also prevents us from leaking
CSRF tokens to outside parties.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
  • Loading branch information
puiterwijk committed May 5, 2017
1 parent 6cf9094 commit b27f38a
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions fedora/tg/utils.py
Expand Up @@ -81,6 +81,11 @@ def url(tgpath, tgparams=None, **kwargs):
'''
if not isinstance(tgpath, six.string_types):
tgpath = '/'.join(list(tgpath))
if not tgpath.startswith('/'):
# Do not allow the url() function to be used for external urls.
# This function is primarily used in redirect() calls, so this prevents
# covert redirects and thus CSRF leaking.
tgpath = '/'
if tgpath.startswith('/'):
webpath = (config.get('server.webpath') or '').rstrip('/')
if tg_util.request_available():
Expand Down

0 comments on commit b27f38a

Please sign in to comment.