mirror of
https://github.com/wassname/flask-security.git
synced 2026-07-05 17:30:14 +08:00
NextFormMixin security bug fixed: open redirect
NextFormMixin was missing validations check on redirection [1]. Only internal redirections are now allowed. Attack Example: http://127.0.0.1:5000/login?next=http://google.com (it should not redirect to google.com) wq [1] https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
This commit is contained in:
@@ -10,6 +10,7 @@
|
||||
"""
|
||||
|
||||
import inspect
|
||||
import urlparse
|
||||
|
||||
from flask import request, current_app
|
||||
from flask.ext.wtf import Form as BaseForm, TextField, PasswordField, \
|
||||
@@ -90,6 +91,13 @@ class PasswordConfirmFormMixin():
|
||||
class NextFormMixin():
|
||||
next = HiddenField()
|
||||
|
||||
def validate_next(self, field):
|
||||
url_next = urlparse.urlsplit(field.data)
|
||||
url_base = urlparse.urlsplit(request.host_url)
|
||||
if url_next.netloc and url_next.netloc != url_base.netloc:
|
||||
field.data = ''
|
||||
raise ValidationError('Redirections outside the domain are forbidden')
|
||||
|
||||
|
||||
class RegisterFormMixin():
|
||||
submit = SubmitField("Register")
|
||||
|
||||
Reference in New Issue
Block a user