-
Notifications
You must be signed in to change notification settings - Fork 17.8k
fix(lang): patch FAB's LocaleView to redirect to previous page #31692
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 7 commits
75a64d0
dffbe1f
3e752db
25814f9
3dc36a2
9a5b9c3
4bb4916
08010c9
12b60ac
267e2aa
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -62,3 +62,20 @@ def is_secure_url(url: str) -> bool: | |
| """ | ||
| parsed_url = urlparse(url) | ||
| return parsed_url.scheme == "https" | ||
|
|
||
|
|
||
| def is_safe_redirect_url(source_url: str, target_url: str) -> bool: | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. sorry for the multi-phase review, but GPT recommends further checking here, and since this is security for XSS I'm thinking let's do it... GPT says: This handles edge cases like user-supplied target_url values starting with // (which browsers interpret as external redirects) or other relative path tricks. Using urljoin() ensures we're validating the fully resolved URL against the expected scheme and host. Safer for open internet exposure.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Easy done, thank you for this security fix @mistercrunch ! Applied with 08010c9 However, should we to use the joined
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ok, I've found what we needed in FAB: get_safe_redirect. My only worry is it's not exposed as an explicit part of the API, and so might change out from under us. But it's used in several places in the FAB code base, so it's a calculated risk. |
||
| """ | ||
| Validates whether it's safe to redirect from source URL to the target URL. | ||
|
|
||
| Checks that the URL scheme and netloc match. | ||
|
|
||
| :param source_url: the current request.host_url. | ||
| :param target_url: the URL we plan to redirect to. | ||
| """ | ||
| source_parsed = urlparse(source_url) | ||
| target_parsed = urlparse(target_url) | ||
| return ( | ||
| source_parsed.scheme == target_parsed.scheme | ||
| and source_parsed.netloc == target_parsed.netloc | ||
| ) | ||
Uh oh!
There was an error while loading. Please reload this page.