Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#18856 closed Bug (fixed)

avoid set_language redirect to different host

Reported by: Gunnar Owned by: nobody
Component: Uncategorized Version: master
Severity: Release blocker Keywords: set_language redirect infinite loop
Cc: GunnarScherf, apollo13 Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

    next = request.REQUEST.get('next', None)
    if not next:
        next = request.META.get('HTTP_REFERER', None)

HTTP_REFERER can be from different host, specially when using an external SSO Authentication provider.
Then redirecting causes an infinite loop.
Solution:
Like in django.contrib.auth.login:

    next = request.REQUEST.get('next', None)
    if not next:
        next = request.META.get('HTTP_REFERER', None) 
        netloc = urlparse.urlparse(next)[1]

        # don't allow redirection to a different
        # host.
        if netloc and netloc != request.get_host():
            next = '/'

Attachments (1)

18856-1.diff (2.2 KB) - added by claudep 3 years ago.
Check REFERER before redirection

Download all attachments as: .zip

Change History (11)

comment:1 Changed 3 years ago by GunnarScherf

  • Needs documentation unset
  • Needs tests unset
  • Owner changed from nobody to GunnarScherf
  • Patch needs improvement unset

comment:2 Changed 3 years ago by GunnarScherf

  • Cc GunnarScherf added
  • Owner GunnarScherf deleted

comment:3 Changed 3 years ago by GunnarScherf

  • Owner set to nobody
  • Summary changed from avois set_language redirect to different host to avoid set_language redirect to different host
  • Type changed from Uncategorized to Bug

Changed 3 years ago by claudep

Check REFERER before redirection

comment:4 Changed 3 years ago by claudep

  • Component changed from Uncategorized to Internationalization
  • Has patch set
  • Triage Stage changed from Unreviewed to Accepted

comment:5 Changed 3 years ago by Architekt

  • Triage Stage changed from Accepted to Ready for checkin

comment:6 Changed 3 years ago by apollo13

  • Cc apollo13 added
  • Component changed from Internationalization to Uncategorized
  • Patch needs improvement set
  • Severity changed from Normal to Release blocker
  • Triage Stage changed from Ready for checkin to Accepted
  • Version changed from 1.4 to master

We also need to check the rest of the codebase for similar issues and factor this stuff out into a utility function like:

def safe_redirect(request, redirect_to):
  # check redirect_to against request.get_host() or so here...

comment:7 Changed 3 years ago by Florian Apolloner <florian@…>

  • Resolution set to fixed
  • Status changed from new to closed

In 1515eb46daa0897ba5ad5f0a2db8969255f1b343:

[1.3.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.

comment:8 Changed 3 years ago by Florian Apolloner <florian@…>

In b2ae0a63aeec741f1e51bac9a95a27fd635f9652:

[1.4.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.

comment:9 Changed 3 years ago by Florian Apolloner <florian@…>

In fce1fa0f7fb984d4e76eb81ffc3cb9826046c3b5:

[1.5.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.

comment:10 Changed 3 years ago by Florian Apolloner <florian@…>

In a2f2a399566dd68ce7e312fff5a5ba857066797d:

Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.

Note: See TracTickets for help on using tickets.
Back to Top