Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

get_safe_redirect_to: Remove incorrect allowed_hosts setting. 

set(redirect_host) is a set of characters, so the only non-relative
redirects being allowed were to certain one-character hostnames, which
certainly isn’t what was intended.

Signed-off-by: Anders Kaseorg <anders@zulip.com>
This commit is contained in:
Anders Kaseorg 2020-06-09 21:19:21 -07:00 committed by Tim Abbott
parent 3decbd1e23
commit 5c9d56d2f7
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
zerver/views/auth.py
View File

@ -62,7 +62,7 @@ from two_factor.views import LoginView as BaseTwoFactorLoginView
ExtraContext = Optional[Dict[str, Any]] ExtraContext = Optional[Dict[str, Any]]
def get_safe_redirect_to(url: str, redirect_host: str) -> str: def get_safe_redirect_to(url: str, redirect_host: str) -> str:
is_url_safe = is_safe_url(url=url, allowed_hosts=set(redirect_host)) is_url_safe = is_safe_url(url=url, allowed_hosts=None)
if is_url_safe: if is_url_safe:
return urllib.parse.urljoin(redirect_host, url) return urllib.parse.urljoin(redirect_host, url)
else: else: