aboutsummaryrefslogtreecommitdiff
path: root/pyaggr3g470r/utils.py
diff options
context:
space:
mode:
Diffstat (limited to 'pyaggr3g470r/utils.py')
-rwxr-xr-xpyaggr3g470r/utils.py22
1 files changed, 21 insertions, 1 deletions
diff --git a/pyaggr3g470r/utils.py b/pyaggr3g470r/utils.py
index 3d8bb483..bcea5109 100755
--- a/pyaggr3g470r/utils.py
+++ b/pyaggr3g470r/utils.py
@@ -49,11 +49,12 @@ import sqlalchemy
try:
from urlparse import urlparse, parse_qs, urlunparse
except:
- from urllib.parse import urlparse, parse_qs, urlunparse
+ from urllib.parse import urlparse, parse_qs, urlunparse, urljoin
from bs4 import BeautifulSoup
from datetime import timedelta
from collections import Counter
from contextlib import contextmanager
+from flask import request
import conf
from flask import g
@@ -65,6 +66,25 @@ logger = logging.getLogger(__name__)
ALLOWED_EXTENSIONS = set(['xml', 'opml', 'json'])
+def is_safe_url(target):
+ """
+ Ensures that a redirect target will lead to the same server.
+ """
+ ref_url = urlparse(request.host_url)
+ test_url = urlparse(urljoin(request.host_url, target))
+ return test_url.scheme in ('http', 'https') and \
+ ref_url.netloc == test_url.netloc
+
+def get_redirect_target():
+ """
+ Looks at various hints to find the redirect target.
+ """
+ for target in request.args.get('next'), request.referrer:
+ if not target:
+ continue
+ if is_safe_url(target):
+ return target
+
def allowed_file(filename):
"""
Check if the uploaded file is allowed.
bgstack15