avoid security issue of unvalidated redirections #421

https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect
2025-01-23 11:26:56 -08:00 · 2025-01-16 16:58:15 +13:00 · 2025-01-16 16:58:15 +13:00 · 468a083dfa
commit 468a083dfa
parent 192b6470f7
5 changed files with 9 additions and 7 deletions
--- a/app/templates/post/_post_full.html
+++ b/app/templates/post/_post_full.html
@ -17,7 +17,7 @@
            <div>{% if post.reports > 0 and current_user.is_authenticated and post.community.is_moderator(current_user) -%}
                    <span class="red fe fe-report" title="{{ _('Reported. Check post for issues.') }}"></span>
                {% endif -%}<small>submitted <time datetime="{{ arrow.get(post.posted_at).format('YYYY-MM-DD HH:mm:ss ZZ') }}" title="{{ arrow.get(post.posted_at).format('YYYY-MM-DD HH:mm:ss ZZ') }}">{{ arrow.get(post.posted_at).humanize(locale=locale) }}</time> by
-                {{ render_username(post.author, htmx_redirect_back_to=request.url) }}
+                {{ render_username(post.author, htmx_redirect_back_to=request.path) }}
                {% if post.edited_at -%} edited <time datetime="{{ arrow.get(post.posted_at).format('YYYY-MM-DD HH:mm:ss ZZ') }}" title="{{ arrow.get(post.posted_at).format('YYYY-MM-DD HH:mm:ss ZZ') }}">{{ arrow.get(post.edited_at).humanize(locale=locale) }}</time>{% endif -%}</small>
            </div>
            {% if post.type == POST_TYPE_IMAGE -%}
--- a/app/templates/post/_post_reply_teaser.html
+++ b/app/templates/post/_post_reply_teaser.html
@ -28,7 +28,7 @@
    <div class="row">
        <div class="col-auto comment_author">
            <span class="visually-hidden">by</span>
-            {{ render_username(post_reply.author, htmx_redirect_back_to=request.url + '#comment_' + str(post_reply.id)) }}
+            {{ render_username(post_reply.author, htmx_redirect_back_to=request.path + '#comment_' + str(post_reply.id)) }}
            {% if post_reply.author.id == post_reply.post.author.id -%}
                <span title="Submitter of original post" aria-label="{{ _('Post creator') }}" class="small"> [OP]</span>
            {% endif -%}
@ -55,9 +55,9 @@
        <div class="col-12">
            {% if post_reply.deleted and not show_deleted -%}
                {% if post_reply.deleted_by is none or post_reply.deleted_by != post_reply.user_id -%}
-                    <p>Deleted by moderator</p>
+                    <p>{{ _('Deleted by moderator') }}</p>
                {% else -%}
-                    <p>Deleted by author</p>
+                    <p>{{ _('Deleted by author') }}</p>
                {% endif -%}
            {% else -%}
                {{ post_reply.body_html | community_links | person_links | safe }}
--- a/app/templates/post/post_teaser/_title.html
+++ b/app/templates/post/post_teaser/_title.html
@ -28,4 +28,4 @@
 <span class="author small">{% if show_post_community -%}<a href="/c/{{ post.community.link() }}" aria-label="{{ _('Go to community %(name)s', name=post.community.name) }}">
    {% if post.community.icon_id and not low_bandwidth %}<img class="community_icon_small rounded-circle" src="{{ post.community.icon_image('tiny') }}" alt="Community icon" />{% endif -%}
    c/{{ post.community.name }}</a>{% endif -%}
-    by {{ render_username(post.author, htmx_redirect_back_to=request.url + '#post_' + str(post.id)) }} <time datetime="{{ post.last_active }}" title="{{ post.last_active }}">{{ post.posted_at_localized(sort, locale) }}</time></span>
+    by {{ render_username(post.author, htmx_redirect_back_to=request.path + '#post_' + str(post.id)) }} <time datetime="{{ post.last_active }}" title="{{ post.last_active }}">{{ post.posted_at_localized(sort, locale) }}</time></span>
--- a/app/templates/user/user_preview.html
+++ b/app/templates/user/user_preview.html
@ -55,7 +55,7 @@
            </div>
            {% if current_user.is_authenticated -%}
                <div class="col-auto text-center">
-                    <a href="{{ url_for('user.edit_user_note', actor=user.link(), return_to=return_to) }}" class="btn btn-secondary btn-sm">{{ _('Edit note') }}</a>
+                    <a href="{{ url_for('user.edit_user_note', actor=user.link(), return_to=return_to) }}" class="btn btn-primary btn-sm">{{ _('Edit note') }}</a>
                </div>
            {% endif -%}
        </div>
--- a/app/user/routes.py
+++ b/app/user/routes.py
@ -1346,7 +1346,9 @@ def user_read_posts_delete():
@login_required
 def edit_user_note(actor):
    actor = actor.strip()
-    return_to = request.args.get('return_to')
+    return_to = request.args.get('return_to', '').strip()
+    if return_to.startswith('http'):
+        abort(401)
    if '@' in actor:
        user: User = User.query.filter_by(ap_id=actor, deleted=False).first()
    else: