Skip to content

Commit

Permalink
Verify the next value also when setting it
Browse files Browse the repository at this point in the history
  • Loading branch information
matthiask committed Nov 18, 2024
1 parent 024e21b commit 41335ae
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 2 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ Next version

- Added two missing methods to the ``PermissionsBackend`` so that the admin app
list works correctly.
- Added verification of the ``next`` cookie value also when setting the cookie,
not just when reading it.


0.17 (2024-08-19)
=================
Expand Down
8 changes: 6 additions & 2 deletions authlib/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,12 @@ def set_next_cookie(view):
@wraps(view)
def fn(request, *args, **kwargs):
response = view(request, *args, **kwargs)
if request.GET.get("next"):
response.set_cookie(REDIRECT_COOKIE_NAME, request.GET["next"], max_age=600)
if (next := request.GET.get("next")) and url_has_allowed_host_and_scheme(
url=next,
allowed_hosts={request.get_host()},
require_https=request.is_secure(),
):
response.set_cookie(REDIRECT_COOKIE_NAME, next, max_age=600)
return response

return fn
Expand Down
7 changes: 7 additions & 0 deletions tests/testapp/test_authlib.py
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,13 @@ def test_authlib(self):
{"[email protected]", "[email protected]"},
)

def test_invalid_next_cookie(self):
client = Client()
response = client.get("/login/?next=http://example.com")
FacebookOAuth2Client.get_user_data = lambda self: {"email": "[email protected]"}
response = client.get("/oauth/facebook/?code=bla")
self.assertRedirects(response, "/?login=1", fetch_redirect_response=False)

def test_str_and_email_obfuscate(self):
user = User(email="[email protected]")
self.assertEqual(user.get_full_name(), "jus***@***.com")
Expand Down

0 comments on commit 41335ae

Please sign in to comment.