NextFormMixin security bug fixed: open redirect

NextFormMixin was missing validations check on redirection [1]. Only internal redirections
are now allowed.
Attack Example: http://127.0.0.1:5000/login?next=http://google.com (it should not redirect to google.com)
wq
[1] https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
This commit is contained in:
Luca Invernizzi
2013-03-05 21:20:45 +00:00
parent 7db5fe32a8
commit 48dd3fa5bf
+8
View File
@@ -10,6 +10,7 @@
"""
import inspect
import urlparse
from flask import request, current_app
from flask.ext.wtf import Form as BaseForm, TextField, PasswordField, \
@@ -90,6 +91,13 @@ class PasswordConfirmFormMixin():
class NextFormMixin():
next = HiddenField()
def validate_next(self, field):
url_next = urlparse.urlsplit(field.data)
url_base = urlparse.urlsplit(request.host_url)
if url_next.netloc and url_next.netloc != url_base.netloc:
field.data = ''
raise ValidationError('Redirections outside the domain are forbidden')
class RegisterFormMixin():
submit = SubmitField("Register")