koji

Clone

#2504 Only redirect back to HTTP_REFERER if it points to kojiweb
Merged 2 years ago by tkopecek. Opened 2 years ago by alexi.
alexi/koji fix_2503  into  master

file modified
+2 -1 
@@ -211,10 +211,11 @@ 
 

  

  

  def _redirectBack(environ, page, forceSSL):
 

+     localurl = '%s://%s' % (environ['REQUEST_SCHEME'], environ['SERVER_NAME'])
 

      if page:
 

          # We'll work with the page we were given
 

          pass
 

-     elif 'HTTP_REFERER' in environ:
 

+     elif environ.get('HTTP_REFERER', '').startswith(localurl):
 

          page = environ['HTTP_REFERER']
 

      else:
 

          page = 'index'

The HTTP_REFERER is used to send the user back to the same page where they were before they logged in or out. If the HTTP_REFERER does not point to this same server, it's no longer useful and may end up being harmful (as demonstrated by #2503). In that case, HTTP_REFERER should not be used and we should default to redirecting to index.

Fixes https://pagure.io/koji/issue/2503.

Metadata Update from @tkopecek:
- Pull-request tagged with: testing-ready
2 years ago

:thumbsup:

Metadata Update from @tkopecek:
- Pull-request untagged with: testing-ready
- Pull-request tagged with: no_qe
2 years ago

Commit a09cacc fixes this pull-request

Pull-Request has been merged by tkopecek
2 years ago
Changes Summary 1
+2 -1
file changed
www/kojiweb/index.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.