1. Jakub Wilk
  2. marasca

Commits

Jakub Wilk  committed 62aae3b

Never redirect to non-local unprotected URLs.

  • Participants
  • Parent commits f527f73
  • Branches default

Comments (0)

Files changed (1)

File marasca/app/views.py

View file
  • Ignore whitespace
 
 import utils.locks
 import utils.i18n
+import utils.redirect
 import poliqarp
 
 get_template = django.template.loader.get_template
     pending_url = '%s?pending=yes' % request.path
     return django.http.HttpResponseRedirect(pending_url)
 
+def is_local_url(url):
+    return (
+        url and
+        url.startswith('/') and
+        not url.startswith('//')
+    )
+
 class ResultInfo(Info):
 
     def __init__(self, n):
                 continue
             setattr(settings, key, value)
         request.session.save()
-        if next:
+        if is_local_url(next):
             return django.http.HttpResponseRedirect(next)
     context = Context(request, form=form, selected='settings')
     return django.http.HttpResponse(template.render(context))
     redirect to the page in the request (the 'next' parameter) without changing
     any state.
     '''
-    url = request.REQUEST.get('next', None) or get_referrer(request) or '/'
+    url = request.REQUEST.get('next', None) or get_referrer(request)
+    if not is_local_url(url):
+        url = '/'
     response = django.http.HttpResponseRedirect(url)
     if request.method == 'POST':
         lang_code = request.POST.get('language', None)