-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix open redirect of "next" request parameter #150
Conversation
Hi @bbc2 , I think that it would be good if you will make UPDATE: remove unneeded "for all use-cases" |
To be honest, I should probably not have introduced the @lingthio What do you think? Should I keep this as is, remove the unneeded |
@bbc2 one good use-case is when your login-page (or another one) isn't on |
OK, fair enough. I guess it would be a good candidate for an |
The weakness is also known as CWE 601. This commit prevents open redirects by checking every "next" parameter, either from a URL or a form. Closes lingthio#119
There are two commits now. One for fixing the vulnerability, the other making the fallback URL configurable. Looks good to you? |
@bbc2 thank you. |
I think it's easy to add if it turns out to be necessary. I'd like to keep it minimal. |
This feature got implemented a while back using the make_safe_url() function that can be customized. It's in Flask-User v0.6 as well as v1.0. |
This fixes the security issue reported in #119 by forcing the network location of the
next
parameter to be the same as that of the website.