Validate schema of next URL

indico · Aug 22, 2024 · 35a3708 · 35a3708
1 parent 398c0a5
commit 35a3708
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,6 +1,11 @@
 Changelog
 =========
 
+Version 0.5.5
+-------------
+
+- Ensure only valid schemas (http and https) can be used when validating the ``next`` URL
+
 Version 0.5.4
 -------------
 

diff --git a/flask_multipass/__init__.py b/flask_multipass/__init__.py
@@ -13,7 +13,7 @@
 from .identity import IdentityProvider
 
 
-__version__ = '0.5.4'
+__version__ = '0.5.5'
 __all__ = ('Multipass', 'AuthProvider', 'IdentityProvider', 'AuthInfo', 'IdentityInfo', 'Group', 'MultipassException',
            'AuthenticationFailed', 'IdentityRetrievalFailed', 'GroupRetrievalFailed', 'NoSuchUser',
            'InvalidCredentials')
diff --git a/flask_multipass/core.py b/flask_multipass/core.py
@@ -135,6 +135,8 @@ def validate_next_url(self, url):
         a whitelist of trusted hosts to avoid creating an open redirector.
         """
         url_info = urlsplit(url)
+        if url_info.scheme and url_info.scheme not in {'http', 'https'}:
+            return False
         return not url_info.netloc or url_info.netloc == request.host
 
     def process_login(self, provider=None):