Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

does the "next" value in the session need to be validated? #376

Closed
coreybrett opened this issue Dec 4, 2017 · 2 comments
Closed

does the "next" value in the session need to be validated? #376

coreybrett opened this issue Dec 4, 2017 · 2 comments

Comments

@coreybrett
Copy link

I've added the following code to my app...

config['USE_SESSION_FOR_NEXT'] = True 

@portalbp.route('/login', methods=['GET', 'POST'])
def login():
	form = forms.LoginForm()
	if form.validate_on_submit():
		login_user(form.user, remember=False)
		destination = session.pop('next', None)
		return redirect(destination or url_for('portal.index'))
	return render_template('portal/login.html', form=form)

I do not have a custom unauthorized_handler.

If explicit validation is necessary, is that functionality builtin, or do I need to supply it?
@alanhamlett
Copy link
Collaborator

I believe only urls in your app can be added to session['next'] but you should always validate urls before redirecting using something like is_safe_url. It's not hard and definitely worth the extra piece of mind.

@alanhamlett
Copy link
Collaborator

Related to #371 and pallets/werkzeug#609.

@github-actions github-actions bot locked and limited conversation to collaborators Apr 1, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maxcountryman @alanhamlett @coreybrett