Skip to content

Commit

Permalink
Validate schema of next URL
Browse files Browse the repository at this point in the history
  • Loading branch information
ThiefMaster committed Aug 23, 2024
1 parent 398c0a5 commit 24169cd
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 1 deletion.
5 changes: 5 additions & 0 deletions CHANGES.rst
Original file line number Diff line number Diff line change
@@ -1,6 +1,11 @@
Changelog
=========

Version 0.5.5
-------------

- Ensure only valid schemas (http and https) can be used when validating the ``next`` URL

Version 0.5.4
-------------

Expand Down
2 changes: 1 addition & 1 deletion flask_multipass/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
from .identity import IdentityProvider


__version__ = '0.5.4'
__version__ = '0.5.5'
__all__ = ('Multipass', 'AuthProvider', 'IdentityProvider', 'AuthInfo', 'IdentityInfo', 'Group', 'MultipassException',
'AuthenticationFailed', 'IdentityRetrievalFailed', 'GroupRetrievalFailed', 'NoSuchUser',
'InvalidCredentials')
2 changes: 2 additions & 0 deletions flask_multipass/core.py
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,8 @@ def validate_next_url(self, url):
a whitelist of trusted hosts to avoid creating an open redirector.
"""
url_info = urlsplit(url)
if url_info.scheme and url_info.scheme not in {'http', 'https'}:
return False
return not url_info.netloc or url_info.netloc == request.host

def process_login(self, provider=None):
Expand Down
1 change: 1 addition & 0 deletions tests/test_core.py
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,7 @@ def test_next_url_invalid():
('//evil.com:80', False),
('http://evil.com', False),
('https://evil.com', False),
('javascript:alert("eeeeeeeevil")', False),
))
def test_validate_next_url(url, valid):
app = Flask('test')
Expand Down

0 comments on commit 24169cd

Please sign in to comment.