Validate scheme of next URL

CHANGES.rst

@@ -1,6 +1,11 @@
 Changelog
 =========
 
+Version 0.5.5
+-------------
+
+- Ensure only valid schemas (http and https) can be used when validating the ``next`` URL
+
 Version 0.5.4
 -------------
 

flask_multipass/__init__.py

@@ -13,7 +13,7 @@
 from .identity import IdentityProvider
 
 
-__version__ = '0.5.4'
+__version__ = '0.5.5'
 __all__ = ('Multipass', 'AuthProvider', 'IdentityProvider', 'AuthInfo', 'IdentityInfo', 'Group', 'MultipassException',
            'AuthenticationFailed', 'IdentityRetrievalFailed', 'GroupRetrievalFailed', 'NoSuchUser',
            'InvalidCredentials')

flask_multipass/core.py

@@ -135,6 +135,8 @@ def validate_next_url(self, url):
         a whitelist of trusted hosts to avoid creating an open redirector.
         """
         url_info = urlsplit(url)
+        if url_info.scheme and url_info.scheme not in {'http', 'https'}:
+            return False
         return not url_info.netloc or url_info.netloc == request.host
 
     def process_login(self, provider=None):

tests/test_core.py

@@ -161,6 +161,7 @@ def test_next_url_invalid():
     ('//evil.com:80', False),
     ('http://evil.com', False),
     ('https://evil.com', False),
+    ('javascript:alert("eeeeeeeevil")', False),
 ))
 def test_validate_next_url(url, valid):
     app = Flask('test')