From 48dd3fa5bf5b1e53d8707e17bb95903d7a2f98b7 Mon Sep 17 00:00:00 2001
From: Luca Invernizzi <invernizzi.l@gmail.com>
Date: Tue, 5 Mar 2013 21:20:45 +0000
Subject: [PATCH] NextFormMixin security bug fixed: open redirect

NextFormMixin was missing validations check on redirection [1]. Only internal redirections
are now allowed.
Attack Example: http://127.0.0.1:5000/login?next=http://google.com (it should not redirect to google.com)
wq
[1] https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
---
 flask_security/forms.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/flask_security/forms.py b/flask_security/forms.py
index c471605..382b8fa 100644
--- a/flask_security/forms.py
+++ b/flask_security/forms.py
@@ -10,6 +10,7 @@
 """
 
 import inspect
+import urlparse
 
 from flask import request, current_app
 from flask.ext.wtf import Form as BaseForm, TextField, PasswordField, \
@@ -90,6 +91,13 @@ class PasswordConfirmFormMixin():
 class NextFormMixin():
     next = HiddenField()
 
+    def validate_next(self, field):
+        url_next = urlparse.urlsplit(field.data)
+        url_base = urlparse.urlsplit(request.host_url)
+        if url_next.netloc and url_next.netloc != url_base.netloc:
+            field.data = ''
+            raise ValidationError('Redirections outside the domain are forbidden')
+
 
 class RegisterFormMixin():
     submit = SubmitField("Register")