external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

bugfix: relax next verification

Browse source 
AUR renders its own 404 Not Found page when a bad route
is encountered. Introducing the previous verification
caused an error in this case when setting a language
while viewing the Not Found page. So, instead of checking
through routes, just make sure that the next parameter
starts with a '/' character, which removes the possibility
of any cross attacks.

+ Removed aurweb.asgi.routes; no longer needed.

Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit is contained in:
Kevin Morris 2021-05-24 05:19:57 -07:00
parent 32abdbafae
commit 822905be7d
3 changed files with 4 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

8
aurweb/routers/html.py
View file

@ -32,11 +32,9 @@ async def language(request: Request,
parameters across the redirect.
"""
from aurweb.db import session
from aurweb.asgi import routes
if unquote(next) not in routes:
return HTMLResponse(
b"Invalid 'next' parameter.",
status_code=400)
if next[0] != '/':
return HTMLResponse(b"Invalid 'next' parameter.", status_code=400)
query_string = "?" + q if q else str()