Skip to content
Permalink
Browse files Browse the repository at this point in the history
Protect against XSS vulnerabilities in URL redirection
- Switch from base64 to URL encoding for the passing the URL, using the built-in Mako filtering
- Apply HTML filtering to Mako output by default
- Disable HTML filtering for nested templates in adduser, modify, and selfmodify
  • Loading branch information
jthiltges committed Jan 2, 2019
1 parent 1ed654c commit 6f98076
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 23 deletions.
23 changes: 12 additions & 11 deletions ldapcherry/__init__.py
Expand Up @@ -15,7 +15,7 @@
import logging.handlers
from operator import itemgetter
from socket import error as socket_error
import base64
import urllib
import cgi

from exceptions import *
Expand Down Expand Up @@ -387,7 +387,8 @@ def _load_templates(self, config):
)
# preload templates
self.temp_lookup = lookup.TemplateLookup(
directories=self.template_dir, input_encoding='utf-8'
directories=self.template_dir, input_encoding='utf-8',
default_filters=['unicode', 'h']
)
# load each template
self.temp = {}
Expand Down Expand Up @@ -573,7 +574,7 @@ def _check_session(self):

def _check_auth(self, must_admin, redir_login=True):
""" check if a user is autheticated and, optionnaly an administrator
if user not authentifaced -> redirection to login page (with base64
if user not authenticated -> redirect to login page (with escaped URL
of the originaly requested page (redirection after login)
if user authenticated, not admin and must_admin enabled -> 403 error
@boolean must_admin: flag "user must be an administrator to access
Expand All @@ -588,13 +589,13 @@ def _check_auth(self, must_admin, redir_login=True):
qs = ''
else:
qs = '?' + cherrypy.request.query_string
# base64 of the requested URL
b64requrl = base64.b64encode(cherrypy.url() + qs)
# Escaped version of the requested URL
quoted_requrl = urllib.quote_plus(cherrypy.url() + qs)
if not username:
# return to login page (with base64 of the url in query string
# return to login page (with quoted url in query string)
if redir_login:
raise cherrypy.HTTPRedirect(
"/signin?url=%(url)s" % {'url': b64requrl},
"/signin?url=%(url)s" % {'url': quoted_requrl},
)
else:
raise cherrypy.HTTPError(
Expand All @@ -606,7 +607,7 @@ def _check_auth(self, must_admin, redir_login=True):
or not cherrypy.session['connected']:
if redir_login:
raise cherrypy.HTTPRedirect(
"/signin?url=%(url)s" % {'url': b64requrl},
"/signin?url=%(url)s" % {'url': quoted_requrl},
)
else:
raise cherrypy.HTTPError(
Expand All @@ -631,7 +632,7 @@ def _check_auth(self, must_admin, redir_login=True):
else:
if redir_login:
raise cherrypy.HTTPRedirect(
"/signin?url=%(url)s" % {'url': b64requrl},
"/signin?url=%(url)s" % {'url': quoted_requrl},
)
else:
raise cherrypy.HTTPError(
Expand Down Expand Up @@ -919,7 +920,7 @@ def login(self, login, password, url=None):
if url is None:
redirect = "/"
else:
redirect = base64.b64decode(url)
redirect = url
raise cherrypy.HTTPRedirect(redirect)
else:
message = "login failed for user '%(user)s'" % {
Expand All @@ -932,7 +933,7 @@ def login(self, login, password, url=None):
if url is None:
qs = ''
else:
qs = '?url=' + url
qs = '?url=' + urllib.quote_plus(url)
raise cherrypy.HTTPRedirect("/signin" + qs)

@cherrypy.expose
Expand Down
4 changes: 2 additions & 2 deletions resources/templates/adduser.tmpl
Expand Up @@ -9,11 +9,11 @@
<form method='POST' autocomplete="off" action='/adduser' role="form" class="form-signin" id=form>
<fieldset>
<legend>Fill new user's attributes:</legend>
${form}
${form | n}
</fieldset>
<fieldset>
<legend>Enable/Disable user's roles:</legend>
${roles}
${roles | n}
</fieldset>
<div class="form-group">
<div class="input-group">
Expand Down
14 changes: 7 additions & 7 deletions resources/templates/login.tmpl
Expand Up @@ -4,13 +4,13 @@
<div class="row clearfix" style="margin-top:30px">
<div class="col-md-4 column"></div>
<div class="col-md-4 column well">
<%
if url is None:
qs=''
else:
qs='?url=' + url
%>
<form method='POST' action='/login${qs}' role="form" class="form-signin">
<form method='POST' role="form" class="form-signin"
% if url:
action='login?url=${url | u}'
% else:
action='login'
% endif
>
<div class="form-group">
<h2 class="form-signin-heading">Please sign in</h2>
<div class="input-group">
Expand Down
4 changes: 2 additions & 2 deletions resources/templates/modify.tmpl
Expand Up @@ -9,11 +9,11 @@
<form method='POST' action='/modify' role="form" class="form-signin" id="form">
<fieldset>
<legend>Modify user's attributes:</legend>
${form}
${form | n}
</fieldset>
<fieldset>
<legend>Enable/Disable user's roles:</legend>
${roles}
${roles | n}
</fieldset>
% if len(standalone_groups) != 0:
<fieldset>
Expand Down
2 changes: 1 addition & 1 deletion resources/templates/selfmodify.tmpl
Expand Up @@ -8,7 +8,7 @@
<div class="well well-sm">
<form method='POST' action='/selfmodify' autocomplete="off" role="form" class="form-signin" id="form">
<legend>Modify your attributes:</legend>
${form}
${form | n}
</fieldset>
<div class="form-group">
<div class="input-group">
Expand Down

0 comments on commit 6f98076

Please sign in to comment.