Merge pull request #96 from invernizzi/develop

NextFormMixin security bug fixed: open redirect
2026-06-27 16:10:11 +08:00 · 2013-03-05 13:58:08 -08:00
parent 7db5fe32a8 48dd3fa5bf
commit 246ab41479
1 changed files with 8 additions and 0 deletions
@@ -10,6 +10,7 @@
 """

 import inspect
+import urlparse

 from flask import request, current_app
 from flask.ext.wtf import Form as BaseForm, TextField, PasswordField, \
@@ -90,6 +91,13 @@ class PasswordConfirmFormMixin():
 class NextFormMixin():
    next = HiddenField()

+    def validate_next(self, field):
+        url_next = urlparse.urlsplit(field.data)
+        url_base = urlparse.urlsplit(request.host_url)
+        if url_next.netloc and url_next.netloc != url_base.netloc:
+            field.data = ''
+            raise ValidationError('Redirections outside the domain are forbidden')
+

 class RegisterFormMixin():
    submit = SubmitField("Register")