Context Navigation

← Previous Ticket
Next Ticket →

#18856 closed Bug (fixed)

avoid set_language redirect to different host

Reported by:	Gunnar	Owned by:	nobody
Component:	Uncategorized	Version:	dev
Severity:	Release blocker	Keywords:	set_language redirect infinite loop
Cc:	Gunnar Scherf, Florian Apolloner	Triage Stage:	Accepted
Has patch:	yes	Needs documentation:	no
Needs tests:	no	Patch needs improvement:	yes
Easy pickings:	no	UI/UX:	no

Description

    next = request.REQUEST.get('next', None)
    if not next:
        next = request.META.get('HTTP_REFERER', None)

HTTP_REFERER can be from different host, specially when using an external SSO Authentication provider.
Then redirecting causes an infinite loop.
Solution:
Like in django.contrib.auth.login:

    next = request.REQUEST.get('next', None)
    if not next:
        next = request.META.get('HTTP_REFERER', None) 
        netloc = urlparse.urlparse(next)[1]

        # don't allow redirection to a different
        # host.
        if netloc and netloc != request.get_host():
            next = '/'

Attachments (1)

18856-1.diff (2.2 KB ) - added by Claude Paroz 12 years ago.: Check REFERER before redirection

Download all attachments as: .zip

Change History (11)

comment:1 by Gunnar Scherf, 12 years ago

Owner:	changed from nobody to Gunnar Scherf

comment:2 by Gunnar Scherf, 12 years ago

Cc:	Gunnar Scherf added
Owner:	Gunnar Scherf removed

comment:3 by Gunnar Scherf, 12 years ago

Owner:	set to nobody
Summary:	avois set_language redirect to different host → avoid set_language redirect to different host
Type:	Uncategorized → Bug

by Claude Paroz, 12 years ago

Attachment:	18856-1.diff added

Check REFERER before redirection

comment:4 by Claude Paroz, 12 years ago

Component:	Uncategorized → Internationalization
Has patch:	set
Triage Stage:	Unreviewed → Accepted

comment:5 by Jan Bednařík, 12 years ago

Triage Stage:	Accepted → Ready for checkin

comment:6 by Florian Apolloner, 12 years ago

Cc:	Florian Apolloner added
Component:	Internationalization → Uncategorized
Patch needs improvement:	set
Severity:	Normal → Release blocker
Triage Stage:	Ready for checkin → Accepted
Version:	1.4 → master

We also need to check the rest of the codebase for similar issues and factor this stuff out into a utility function like:

def safe_redirect(request, redirect_to):
  # check redirect_to against request.get_host() or so here...

comment:7 by Florian Apolloner <florian@…>, 12 years ago

Resolution:	→ fixed
Status:	new → closed

In 1515eb46daa0897ba5ad5f0a2db8969255f1b343:

[1.3.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.

comment:8 by Florian Apolloner <florian@…>, 12 years ago

In b2ae0a63aeec741f1e51bac9a95a27fd635f9652:

[1.4.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.

comment:9 by Florian Apolloner <florian@…>, 12 years ago

In fce1fa0f7fb984d4e76eb81ffc3cb9826046c3b5:

[1.5.X] Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.

comment:10 by Florian Apolloner <florian@…>, 12 years ago

In a2f2a399566dd68ce7e312fff5a5ba857066797d:

Fixed #18856 -- Ensured that redirects can't be poisoned by malicious users.

Note: See TracTickets for help on using tickets.

Download in other formats:

Issues