external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

bugfix: relax next verification

Browse source 
AUR renders its own 404 Not Found page when a bad route
is encountered. Introducing the previous verification
caused an error in this case when setting a language
while viewing the Not Found page. So, instead of checking
through routes, just make sure that the next parameter
starts with a '/' character, which removes the possibility
of any cross attacks.

+ Removed aurweb.asgi.routes; no longer needed.

Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit is contained in:
Kevin Morris 2021-05-24 05:19:57 -07:00
parent 32abdbafae
commit 822905be7d
3 changed files with 4 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

2
test/test_routes.py
View file

@ -61,7 +61,7 @@ def test_language_invalid_next():
""" Test an invalid next route at '/language'. """
post_data = {
"set_lang": "de",
"next": "/BLAHBLAHFAKE"
"next": "https://evil.net"
}
with client as req:
response = req.post("/language", data=post_data)