Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#18856 closed Bug (fixed)

avoid set_language redirect to different host

Reported by: Gunnar Owned by: nobody
Component: Uncategorized Version: master
Severity: Release blocker Keywords: set_language redirect infinite loop
Cc: Gunnar Scherf, Florian Apolloner Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: no UI/UX: no

Description

    next = request.REQUEST.get('next', None)
    if not next:
        next = request.META.get('HTTP_REFERER', None)

HTTP_REFERER can be from different host, specially when using an external SSO Authentication provider.
Then redirecting causes an infinite loop.
Solution:
Like in django.contrib.auth.login:

    next = request.REQUEST.get('next', None)
    if not next:
        next = request.META.get('HTTP_REFERER', None) 
        netloc = urlparse.urlparse(next)[1]

        # don't allow redirection to a different
        # host.
        if netloc and netloc != request.get_host():
            next = '/'

Attachments (1)

18856-1.diff (2.2 KB) - added by Claude Paroz 4 years ago.
Check REFERER before redirection

Download all attachments as: .zip

Change History (11)

comment:1 Changed 4 years ago by Gunnar Scherf

Owner: changed from nobody to Gunnar Scherf

comment:2 Changed 4 years ago by Gunnar Scherf

Cc: Gunnar Scherf added
Owner: Gunnar Scherf deleted

comment:3 Changed 4 years ago by Gunnar Scherf

Owner: set to nobody
Summary: avois set_language redirect to different hostavoid set_language redirect to different host
Type: UncategorizedBug

Changed 4 years ago by Claude Paroz

Attachment: 18856-1.diff added

Check REFERER before redirection

comment:4 Changed 4 years ago by Claude Paroz

Component: UncategorizedInternationalization
Has patch: set
Triage Stage: UnreviewedAccepted

comment:5 Changed 4 years ago by Jan Bednařík

Triage Stage: AcceptedReady for checkin

comment:6 Changed 4 years ago by Florian Apolloner

Cc: Florian Apolloner added
Component: InternationalizationUncategorized
Patch needs improvement: set
Severity: NormalRelease blocker
Triage Stage: Ready for checkinAccepted
Version: 1.4master

We also need to check the rest of the codebase for similar issues and factor this stuff out into a utility function like:

def safe_redirect(request, redirect_to):
  # check redirect_to against request.get_host() or so here...

comment:7 Changed 4 years ago by Florian Apolloner <florian@…>

Resolution: fixed
Status: newclosed

In 1515eb46daa0897ba5ad5f0a2db8969255f1b343:

[1.3.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.

comment:8 Changed 4 years ago by Florian Apolloner <florian@…>

In b2ae0a63aeec741f1e51bac9a95a27fd635f9652:

[1.4.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.

comment:9 Changed 4 years ago by Florian Apolloner <florian@…>

In fce1fa0f7fb984d4e76eb81ffc3cb9826046c3b5:

[1.5.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.

comment:10 Changed 4 years ago by Florian Apolloner <florian@…>

In a2f2a399566dd68ce7e312fff5a5ba857066797d:

Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.

Note: See TracTickets for help on using tickets.
Back to Top