Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #1012 from ortgit/master
Security fix: Validate for open redirect everywhere, not just in login()
  • Loading branch information
mdipierro committed Jul 2, 2015
2 parents cc7e10d + f9cd7e4 commit e31a099
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 4 deletions.
1 change: 1 addition & 0 deletions .gitignore
Expand Up @@ -58,3 +58,4 @@ HOWTO-web2py-devel
*.sublime-project
*.sublime-workspace
.idea/*
site-packages/
10 changes: 6 additions & 4 deletions gluon/tools.py
Expand Up @@ -1541,6 +1541,12 @@ def get_vars_next(self):
next = current.request.vars._next
if isinstance(next, (list, tuple)):
next = next[0]
if next and self.settings.prevent_open_redirect_attacks:
# Prevent an attacker from adding an arbitrary url after the
# _next variable in the request.
items = next.split('/')
if '//' in next and items[2] != current.request.env.http_host:
next = None
return next

def _get_user_id(self):
Expand Down Expand Up @@ -2513,10 +2519,6 @@ def login(self,

### use session for federated login
snext = self.get_vars_next()
if snext and self.settings.prevent_open_redirect_attacks:
items = snext.split('/')
if '//' in snext and items[2] != request.env.http_host:
snext = None

if snext:
session._auth_next = snext
Expand Down

0 comments on commit e31a099

Please sign in to comment.