Mirror
/
app-MAIL-temp
mirror of https://github.com/simple-login/app.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix double backslash open redirect (#1096)

This commit is contained in:
Carlos Quintana 2022-06-16 09:55:08 +02:00 committed by GitHub
parent 58990ec762
commit 332fcb27d9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/utils.py
View File

@ -87,7 +87,7 @@ class NextUrlSanitizer:
return replaced
else:
return None
if result.path and result.path[0] == "/":
if result.path and result.path[0] == "/" and not result.path.startswith("//"):
return result.path
return None

1
tests/test_utils.py
View File

@ -27,6 +27,7 @@ def generate_sanitize_url_cases() -> List:
["/auth", "/auth"],
["/some/path", "/some/path"],
["//somewhere.net", None],
["//\\\\evil.com", None],
]
for domain in ALLOWED_REDIRECT_DOMAINS:
cases.append([f"http://{domain}", f"http://{domain}"])