#2504 Only redirect back to HTTP_REFERER if it points to kojiweb
Merged 2 years ago by tkopecek. Opened 2 years ago by alexi.
alexi/koji fix_2503  into  master

file modified
+2 -1
@@ -211,10 +211,11 @@ 

  

  

  def _redirectBack(environ, page, forceSSL):

+     localurl = '%s://%s' % (environ['REQUEST_SCHEME'], environ['SERVER_NAME'])

      if page:

          # We'll work with the page we were given

          pass

-     elif 'HTTP_REFERER' in environ:

+     elif environ.get('HTTP_REFERER', '').startswith(localurl):

          page = environ['HTTP_REFERER']

      else:

          page = 'index'

The HTTP_REFERER is used to send the user back to the same page where they were before they logged in or out. If the HTTP_REFERER does not point to this same server, it's no longer useful and may end up being harmful (as demonstrated by #2503). In that case, HTTP_REFERER should not be used and we should default to redirecting to index.

Fixes https://pagure.io/koji/issue/2503.

Metadata Update from @tkopecek:
- Pull-request tagged with: testing-ready

2 years ago

Metadata Update from @tkopecek:
- Pull-request untagged with: testing-ready
- Pull-request tagged with: no_qe

2 years ago

Commit a09cacc fixes this pull-request

Pull-Request has been merged by tkopecek

2 years ago