Better error handling on next parameter
This commit is contained in:
parent
2bfb02c448
commit
0180b4b6b5
3 changed files with 583 additions and 741 deletions
17
cps/redirect.py
Normal file → Executable file
17
cps/redirect.py
Normal file → Executable file
|
@ -29,7 +29,7 @@
|
|||
|
||||
from urllib.parse import urlparse, urljoin
|
||||
|
||||
from flask import request, url_for, redirect
|
||||
from flask import request, url_for, redirect, current_app
|
||||
|
||||
|
||||
def is_safe_url(target):
|
||||
|
@ -38,16 +38,15 @@ def is_safe_url(target):
|
|||
return test_url.scheme in ('http', 'https') and ref_url.netloc == test_url.netloc
|
||||
|
||||
|
||||
def get_redirect_target():
|
||||
for target in request.values.get('next'), request.referrer:
|
||||
if not target:
|
||||
continue
|
||||
if is_safe_url(target):
|
||||
return target
|
||||
def remove_prefix(text, prefix):
|
||||
if text.startswith(prefix):
|
||||
return text[len(prefix):]
|
||||
return ""
|
||||
|
||||
|
||||
def redirect_back(endpoint, **values):
|
||||
target = request.form['next']
|
||||
if not target or not is_safe_url(target):
|
||||
target = request.form.get('next', None) or url_for(endpoint, **values)
|
||||
adapter = current_app.url_map.bind(urlparse(request.host_url).netloc)
|
||||
if not len(adapter.allowed_methods(remove_prefix(target, request.environ.get('HTTP_X_SCRIPT_NAME',"")))):
|
||||
target = url_for(endpoint, **values)
|
||||
return redirect(target)
|
||||
|
|
|
@ -1322,7 +1322,7 @@ def handle_login_user(user, remember, message, category):
|
|||
ub.store_user_session()
|
||||
flash(message, category=category)
|
||||
[limiter.limiter.storage.clear(k.key) for k in limiter.current_limits]
|
||||
return redirect_back(url_for("web.index"))
|
||||
return redirect_back("web.index")
|
||||
|
||||
|
||||
def render_login(username="", password=""):
|
||||
|
|
File diff suppressed because it is too large
Load diff
Loading…
Reference in a new issue