From 856d6176ca1c8a929c77a6205fa98eb5c7143d8f Mon Sep 17 00:00:00 2001 From: kaiyou Date: Sun, 10 Sep 2017 15:56:08 +0200 Subject: [PATCH] Handle redirects properly when logging in, fixes #195 --- admin/mailu/admin/views/base.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/admin/mailu/admin/views/base.py b/admin/mailu/admin/views/base.py index eb629179..4ab91325 100644 --- a/admin/mailu/admin/views/base.py +++ b/admin/mailu/admin/views/base.py @@ -6,6 +6,7 @@ import flask_login import smtplib from email.mime import text +from urllib import parse @app.route('/', methods=["GET"]) @@ -21,7 +22,11 @@ def login(): user = models.User.login(form.email.data, form.pw.data) if user: flask_login.login_user(user) - return flask.redirect(flask.url_for('.index')) + redirect = flask.request.args.get('next') + parsed_redirect = parse.urlparse(redirect) + if parsed_redirect.scheme or parsed_redirect.netloc: + return flask.abort(400) + return flask.redirect(redirect or flask.url_for('.index')) else: flask.flash('Wrong e-mail or password', 'error') return flask.render_template('login.html', form=form)