From 5c9d56d2f7b3ec5b3daa42d7c11f000ff7a1885f Mon Sep 17 00:00:00 2001 From: Anders Kaseorg Date: Tue, 9 Jun 2020 21:19:21 -0700 Subject: [PATCH] get_safe_redirect_to: Remove incorrect allowed_hosts setting. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit set(redirect_host) is a set of characters, so the only non-relative redirects being allowed were to certain one-character hostnames, which certainly isn’t what was intended. Signed-off-by: Anders Kaseorg --- zerver/views/auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zerver/views/auth.py b/zerver/views/auth.py index e0da3d2964..aaa2f8ffd6 100644 --- a/zerver/views/auth.py +++ b/zerver/views/auth.py @@ -62,7 +62,7 @@ from two_factor.views import LoginView as BaseTwoFactorLoginView ExtraContext = Optional[Dict[str, Any]] def get_safe_redirect_to(url: str, redirect_host: str) -> str: - is_url_safe = is_safe_url(url=url, allowed_hosts=set(redirect_host)) + is_url_safe = is_safe_url(url=url, allowed_hosts=None) if is_url_safe: return urllib.parse.urljoin(redirect_host, url) else: