Annikka/evennia
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Make website character page redirect validate url to be more secure

Browse source
This commit is contained in:
Griatch 2024-03-17 10:03:47 +01:00
parent 138e21a94c
commit 23b9d06db5
2 changed files with 14 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

3
CHANGELOG.md
View file

@ -37,7 +37,8 @@
account (Griatch) account (Griatch)
- [Fix][issue4311]: SSH connection caused a traceback in protocol (Griatch) - [Fix][issue4311]: SSH connection caused a traceback in protocol (Griatch)
- Fix: Resolve a bug when loading on-demand-handler data from database (Griatch) - Fix: Resolve a bug when loading on-demand-handler data from database (Griatch)
- Security: Potentially O(n2) regex exploit in rpsystem regex (Griatch) - Security: Potential O(n2) regex exploit in rpsystem regex (Griatch)
- Security: Fix potential redirect vulnerability in character page redirect (Griatch)
- Doc fixes (iLPdev, Griatch, CloudKeeper) - Doc fixes (iLPdev, Griatch, CloudKeeper)
[pull3420]: https://github.com/evennia/evennia/pull/3420 [pull3420]: https://github.com/evennia/evennia/pull/3420

19
evennia/web/website/views/characters.py
View file

@ -10,19 +10,16 @@ from django.contrib.auth.mixins import LoginRequiredMixin
from django.db.models.functions import Lower from django.db.models.functions import Lower
from django.http import HttpResponseRedirect from django.http import HttpResponseRedirect
from django.urls import reverse_lazy from django.urls import reverse_lazy
from django.utils.encoding import iri_to_uri
from django.utils.http import url_has_allowed_host_and_scheme
from django.views.generic import ListView from django.views.generic import ListView
from django.views.generic.base import RedirectView from django.views.generic.base import RedirectView
from evennia.utils import class_from_module from evennia.utils import class_from_module
from evennia.web.website import forms from evennia.web.website import forms
from .mixins import TypeclassMixin from .mixins import TypeclassMixin
from .objects import ( from .objects import (ObjectCreateView, ObjectDeleteView, ObjectDetailView,
ObjectCreateView, ObjectUpdateView)
ObjectDeleteView,
ObjectDetailView,
ObjectUpdateView,
)
class CharacterMixin(TypeclassMixin): class CharacterMixin(TypeclassMixin):
@ -125,6 +122,13 @@ class CharacterPuppetView(LoginRequiredMixin, CharacterMixin, RedirectView, Obje
# Get the page the user came from # Get the page the user came from
next_page = self.request.GET.get("next", self.success_url) next_page = self.request.GET.get("next", self.success_url)
# since next_page is untrusted input from the user, we need to check it's safe to
next_page = iri_to_uri(next_page)
if not url_has_allowed_host_and_scheme(url=next_page,
allowed_hosts={self.request.get_host()},
require_https=self.request.is_secure()):
next_page = self.success_url
if char: if char:
# If the account owns the char, store the ID of the char in the # If the account owns the char, store the ID of the char in the
# Django request's session (different from Evennia session!). # Django request's session (different from Evennia session!).
@ -136,6 +140,7 @@ class CharacterPuppetView(LoginRequiredMixin, CharacterMixin, RedirectView, Obje
self.request.session["puppet"] = None self.request.session["puppet"] = None
messages.error(self.request, "You cannot become '%s'." % char) messages.error(self.request, "You cannot become '%s'." % char)
return next_page return next_page