external/aurweb
0
0
Fork 0
mirror of https://gitlab.archlinux.org/archlinux/aurweb.git synced 2025-02-03 10:43:03 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

bugfix: relax next verification

Browse source 
AUR renders its own 404 Not Found page when a bad route
is encountered. Introducing the previous verification
caused an error in this case when setting a language
while viewing the Not Found page. So, instead of checking
through routes, just make sure that the next parameter
starts with a '/' character, which removes the possibility
of any cross attacks.

+ Removed aurweb.asgi.routes; no longer needed.

Signed-off-by: Kevin Morris <kevr@0cost.org>
This commit is contained in:
Kevin Morris 2021-05-24 05:19:57 -07:00
parent 32abdbafae
commit 822905be7d
3 changed files with 4 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
aurweb/asgi.py
View file

@ -12,8 +12,6 @@ from aurweb.auth import BasicAuthBackend
from aurweb.db import get_engine from aurweb.db import get_engine
from aurweb.routers import accounts, auth, errors, html, sso from aurweb.routers import accounts, auth, errors, html, sso
routes = set()
# Setup the FastAPI app. # Setup the FastAPI app.
app = FastAPI(exception_handlers=errors.exceptions) app = FastAPI(exception_handlers=errors.exceptions)
@ -47,13 +45,6 @@ async def app_startup():
# Initialize the database engine and ORM. # Initialize the database engine and ORM.
get_engine() get_engine()
# NOTE: Always keep this dictionary updated with all routes
# that the application contains. We use this to check for
# parameter value verification.
routes = {route.path for route in app.routes}
routes.update({route.path for route in sso.router.routes})
routes.update({route.path for route in html.router.routes})
@app.exception_handler(HTTPException) @app.exception_handler(HTTPException)
async def http_exception_handler(request, exc): async def http_exception_handler(request, exc):

8
aurweb/routers/html.py
View file

@ -32,11 +32,9 @@ async def language(request: Request,
parameters across the redirect. parameters across the redirect.
""" """
from aurweb.db import session from aurweb.db import session
from aurweb.asgi import routes
if unquote(next) not in routes: if next[0] != '/':
return HTMLResponse( return HTMLResponse(b"Invalid 'next' parameter.", status_code=400)
b"Invalid 'next' parameter.",
status_code=400)
query_string = "?" + q if q else str() query_string = "?" + q if q else str()

2
test/test_routes.py
View file

@ -61,7 +61,7 @@ def test_language_invalid_next():
""" Test an invalid next route at '/language'. """ """ Test an invalid next route at '/language'. """
post_data = { post_data = {
"set_lang": "de", "set_lang": "de",
"next": "/BLAHBLAHFAKE" "next": "https://evil.net"
} }
with client as req: with client as req:
response = req.post("/language", data=post_data) response = req.post("/language", data=post_data)