summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRenan Rodrigo <rebarbos@redhat.com>2019-10-31 18:46:07 +0100
committerRenan Rodrigo Barbosa <rebarbos@redhat.com>2019-11-07 09:34:41 +0000
commit90066ad68d9de407c5c05e08b984608b6928af8d (patch)
treed4f6e860ca0f323ac762e10a77f394549effee29
parent4ba9640871914a49784a2ea15b8ef6fb04260ce9 (diff)
Add verification to post-login redirection
Mitigate the possibility of an unintended redirection to malicious domains. Bug: 1672990 Change-Id: I9ade8cf169ece357703c489755e61bb210b80a61
-rw-r--r--Server/bkr/server/controllers.py2
1 files changed, 1 insertions, 1 deletions
diff --git a/Server/bkr/server/controllers.py b/Server/bkr/server/controllers.py
index 67f5105..f3d9fa0 100644
--- a/Server/bkr/server/controllers.py
+++ b/Server/bkr/server/controllers.py
@@ -1098,7 +1098,7 @@ class Root(RPCRoot):
@expose(template="bkr.server.templates.login")
def login(self, forward_url=None, **kwargs):
- if not forward_url:
+ if not forward_url or not re.match("^/[a-zA-Z0-9]", forward_url):
forward_url = url('/')
# If the container is doing authentication for us, we might have
# already been authenticated through REMOTE_USER.