diff options
| author | Cédric Bonhomme <cedric@cedricbonhomme.org> | 2015-08-04 19:00:58 +0200 |
|---|---|---|
| committer | Cédric Bonhomme <cedric@cedricbonhomme.org> | 2015-08-04 19:00:58 +0200 |
| commit | 0a116f556a4d8c2eabe3a07bc9b560538d2d530d (patch) | |
| tree | 1a8e10402e4bb59dc7c217fa28d54bde009fd79f /pyaggr3g470r/utils.py | |
| parent | Updated NEWS.rst file. (diff) | |
| download | newspipe-0a116f556a4d8c2eabe3a07bc9b560538d2d530d.tar.gz newspipe-0a116f556a4d8c2eabe3a07bc9b560538d2d530d.tar.bz2 newspipe-0a116f556a4d8c2eabe3a07bc9b560538d2d530d.zip | |
Secure back redirects with WTForms.
Diffstat (limited to 'pyaggr3g470r/utils.py')
| -rwxr-xr-x | pyaggr3g470r/utils.py | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/pyaggr3g470r/utils.py b/pyaggr3g470r/utils.py index 3d8bb483..bcea5109 100755 --- a/pyaggr3g470r/utils.py +++ b/pyaggr3g470r/utils.py @@ -49,11 +49,12 @@ import sqlalchemy try: from urlparse import urlparse, parse_qs, urlunparse except: - from urllib.parse import urlparse, parse_qs, urlunparse + from urllib.parse import urlparse, parse_qs, urlunparse, urljoin from bs4 import BeautifulSoup from datetime import timedelta from collections import Counter from contextlib import contextmanager +from flask import request import conf from flask import g @@ -65,6 +66,25 @@ logger = logging.getLogger(__name__) ALLOWED_EXTENSIONS = set(['xml', 'opml', 'json']) +def is_safe_url(target): + """ + Ensures that a redirect target will lead to the same server. + """ + ref_url = urlparse(request.host_url) + test_url = urlparse(urljoin(request.host_url, target)) + return test_url.scheme in ('http', 'https') and \ + ref_url.netloc == test_url.netloc + +def get_redirect_target(): + """ + Looks at various hints to find the redirect target. + """ + for target in request.args.get('next'), request.referrer: + if not target: + continue + if is_safe_url(target): + return target + def allowed_file(filename): """ Check if the uploaded file is allowed. |