From 50a24d7acabd35b122138b2e192cd00a927e1caf Mon Sep 17 00:00:00 2001
From: Adrian Moennich <adrian.moennich@cern.ch>
Date: Fri, 23 Aug 2024 01:58:47 +0200
Subject: [PATCH] Validate scheme of next URL

---
 CHANGES.rst                 | 5 +++++
 flask_multipass/__init__.py | 2 +-
 flask_multipass/core.py     | 2 ++
 tests/test_core.py          | 1 +
 4 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index ec9f79c..486c4af 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -1,6 +1,11 @@
 Changelog
 =========
 
+Version 0.5.5
+-------------
+
+- Ensure only valid schemas (http and https) can be used when validating the ``next`` URL
+
 Version 0.5.4
 -------------
 
diff --git a/flask_multipass/__init__.py b/flask_multipass/__init__.py
index b58325e..f04f735 100644
--- a/flask_multipass/__init__.py
+++ b/flask_multipass/__init__.py
@@ -13,7 +13,7 @@
 from .identity import IdentityProvider
 
 
-__version__ = '0.5.4'
+__version__ = '0.5.5'
 __all__ = ('Multipass', 'AuthProvider', 'IdentityProvider', 'AuthInfo', 'IdentityInfo', 'Group', 'MultipassException',
            'AuthenticationFailed', 'IdentityRetrievalFailed', 'GroupRetrievalFailed', 'NoSuchUser',
            'InvalidCredentials')
diff --git a/flask_multipass/core.py b/flask_multipass/core.py
index 1824d6c..62f729a 100644
--- a/flask_multipass/core.py
+++ b/flask_multipass/core.py
@@ -135,6 +135,8 @@ def validate_next_url(self, url):
         a whitelist of trusted hosts to avoid creating an open redirector.
         """
         url_info = urlsplit(url)
+        if url_info.scheme and url_info.scheme not in {'http', 'https'}:
+            return False
         return not url_info.netloc or url_info.netloc == request.host
 
     def process_login(self, provider=None):
diff --git a/tests/test_core.py b/tests/test_core.py
index ef1e60b..12e1403 100644
--- a/tests/test_core.py
+++ b/tests/test_core.py
@@ -161,6 +161,7 @@ def test_next_url_invalid():
     ('//evil.com:80', False),
     ('http://evil.com', False),
     ('https://evil.com', False),
+    ('javascript:alert("eeeeeeeevil")', False),
 ))
 def test_validate_next_url(url, valid):
     app = Flask('test')