Validate scheme of next URL (#85)

indico · Aug 23, 2024 · 0bdcf65 · 0bdcf65
1 parent 7b213f9
commit 0bdcf65
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 1 deletion.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,6 +1,11 @@
 Changelog
 =========
 
+Version 0.5.5
+-------------
+
+- Ensure only valid schemas (http and https) can be used when validating the ``next`` URL
+
 Version 0.5.4
 -------------
 

diff --git a/flask_multipass/__init__.py b/flask_multipass/__init__.py
@@ -13,7 +13,7 @@
 from .identity import IdentityProvider
 
 
-__version__ = '0.5.4'
+__version__ = '0.5.5'
 __all__ = ('Multipass', 'AuthProvider', 'IdentityProvider', 'AuthInfo', 'IdentityInfo', 'Group', 'MultipassException',
            'AuthenticationFailed', 'IdentityRetrievalFailed', 'GroupRetrievalFailed', 'NoSuchUser',
            'InvalidCredentials')
diff --git a/flask_multipass/core.py b/flask_multipass/core.py
@@ -135,6 +135,8 @@ def validate_next_url(self, url):
         a whitelist of trusted hosts to avoid creating an open redirector.
         """
         url_info = urlsplit(url)
+        if url_info.scheme and url_info.scheme not in {'http', 'https'}:
+            return False
         return not url_info.netloc or url_info.netloc == request.host
 
     def process_login(self, provider=None):

diff --git a/tests/test_core.py b/tests/test_core.py
@@ -161,6 +161,7 @@ def test_next_url_invalid():
     ('//evil.com:80', False),
     ('http://evil.com', False),
     ('https://evil.com', False),
+    ('javascript:alert("eeeeeeeevil")', False),
 ))
 def test_validate_next_url(url, valid):
     app = Flask('test')