0001-utils-always-encode-next_url-to-ASCII-before-using-i.patch

Benjamin Dauvergne, 21 novembre 2017 10:41

Voir les différences: en ligne côte à côte

Subject: [PATCH] utils: always encode next_url to ASCII before using it (fixes
 #20181)

 src/authentic2/utils.py | 33 +++++++++++++++++++++++----------
 1 file changed, 23 insertions(+), 10 deletions(-)

                 url = request.build_absolute_uri(url)
             else:
                 raise TypeError('make_url() absolute cannot be used without request')
         return url
         # URL must be ASCII, always
         return url.encode('ascii')
     # improvement over django.shortcuts.redirect
-...
     def continue_to_next_url(request, keep_params=True, include=(constants.NONCE_FIELD_NAME,),
                              **kwargs):
         next_url = request.POST.get(REDIRECT_FIELD_NAME)
         next_url = next_url or request.GET.get(REDIRECT_FIELD_NAME)
         next_url = next_url or settings.LOGIN_REDIRECT_URL
         next_url = select_next_url(request, settings.LOGIN_REDIRECT_URL, include_post=True)
         return redirect(request, to=next_url, keep_params=keep_params, include=include, **kwargs)
-...
     def get_registration_url(request, service_slug=None):
         if REDIRECT_FIELD_NAME in request.GET and is_valid_url(request.GET[REDIRECT_FIELD_NAME]):
             next_url = request.GET.get(REDIRECT_FIELD_NAME)
         else:
             next_url = make_url(settings.LOGIN_REDIRECT_URL)
         next_url = select_next_url(request, settings.LOGIN_REDIRECT_URL)
         next_url = make_url(next_url, request=request, keep_params=True,
                             include=(constants.NONCE_FIELD_NAME,), resolve=False)
         params = {REDIRECT_FIELD_NAME: next_url}
-...
         return False
     def select_next_url(request, default):
     def get_next_url(params):
         '''Extract and decode a next_url field'''
         next_url = params.get(REDIRECT_FIELD_NAME)
         if not next_url:
             return None
         try:
             next_url = next_url.encode('ascii')
         except UnicodeEncodeError:
             return None
         if not is_valid_url(next_url):
             return None
         return next_url
     def select_next_url(request, default, include_post=False):
         '''Select the first valid next URL'''
         next_url = request.GET.get(REDIRECT_FIELD_NAME)
         next_url = (include_post and get_next_url(request.POST)) or get_next_url(request.GET)
         if good_next_url(request, next_url):
             return next_url
         return default
-...
         if domain1 == domain2:
             return True
         if not domain1 or not domain2:
             return False
         if domain2.startswith('.'):
             # p1 is a sub-domain or the base domain
             if domain1.endswith(domain2) or domain1 == domain2[1:]:
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0001-utils-always-encode-next_url-to-ASCII-before-using-i.patch