From 468a083dfa3e4f457d38dba581e9761bcdb5375a Mon Sep 17 00:00:00 2001
From: rimu <3310831+rimu@users.noreply.github.com>
Date: Thu, 16 Jan 2025 16:58:15 +1300
Subject: [PATCH] avoid security issue of unvalidated redirections #421

https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect
---
 app/templates/post/_post_full.html         | 2 +-
 app/templates/post/_post_reply_teaser.html | 6 +++---
 app/templates/post/post_teaser/_title.html | 2 +-
 app/templates/user/user_preview.html       | 2 +-
 app/user/routes.py                         | 4 +++-
 5 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/app/templates/post/_post_full.html b/app/templates/post/_post_full.html
index ac1079b3..cd06b01d 100644
--- a/app/templates/post/_post_full.html
+++ b/app/templates/post/_post_full.html
@@ -17,7 +17,7 @@
             <div>{% if post.reports > 0 and current_user.is_authenticated and post.community.is_moderator(current_user) -%}
                     <span class="red fe fe-report" title="{{ _('Reported. Check post for issues.') }}"></span>
                 {% endif -%}<small>submitted <time datetime="{{ arrow.get(post.posted_at).format('YYYY-MM-DD HH:mm:ss ZZ') }}" title="{{ arrow.get(post.posted_at).format('YYYY-MM-DD HH:mm:ss ZZ') }}">{{ arrow.get(post.posted_at).humanize(locale=locale) }}</time> by
-                {{ render_username(post.author, htmx_redirect_back_to=request.url) }}
+                {{ render_username(post.author, htmx_redirect_back_to=request.path) }}
                 {% if post.edited_at -%} edited <time datetime="{{ arrow.get(post.posted_at).format('YYYY-MM-DD HH:mm:ss ZZ') }}" title="{{ arrow.get(post.posted_at).format('YYYY-MM-DD HH:mm:ss ZZ') }}">{{ arrow.get(post.edited_at).humanize(locale=locale) }}</time>{% endif -%}</small>
             </div>
             {% if post.type == POST_TYPE_IMAGE -%}
diff --git a/app/templates/post/_post_reply_teaser.html b/app/templates/post/_post_reply_teaser.html
index a58bb184..9fa1df2c 100644
--- a/app/templates/post/_post_reply_teaser.html
+++ b/app/templates/post/_post_reply_teaser.html
@@ -28,7 +28,7 @@
     <div class="row">
         <div class="col-auto comment_author">
             <span class="visually-hidden">by</span>
-            {{ render_username(post_reply.author, htmx_redirect_back_to=request.url + '#comment_' + str(post_reply.id)) }}
+            {{ render_username(post_reply.author, htmx_redirect_back_to=request.path + '#comment_' + str(post_reply.id)) }}
             {% if post_reply.author.id == post_reply.post.author.id -%}
                 <span title="Submitter of original post" aria-label="{{ _('Post creator') }}" class="small"> [OP]</span>
             {% endif -%}
@@ -55,9 +55,9 @@
         <div class="col-12">
             {% if post_reply.deleted and not show_deleted -%}
                 {% if post_reply.deleted_by is none or post_reply.deleted_by != post_reply.user_id -%}
-                    <p>Deleted by moderator</p>
+                    <p>{{ _('Deleted by moderator') }}</p>
                 {% else -%}
-                    <p>Deleted by author</p>
+                    <p>{{ _('Deleted by author') }}</p>
                 {% endif -%}
             {% else -%}
                 {{ post_reply.body_html | community_links | person_links | safe }}
diff --git a/app/templates/post/post_teaser/_title.html b/app/templates/post/post_teaser/_title.html
index bfd84893..4b5a7bc9 100644
--- a/app/templates/post/post_teaser/_title.html
+++ b/app/templates/post/post_teaser/_title.html
@@ -28,4 +28,4 @@
 <span class="author small">{% if show_post_community -%}<a href="/c/{{ post.community.link() }}" aria-label="{{ _('Go to community %(name)s', name=post.community.name) }}">
     {% if post.community.icon_id and not low_bandwidth %}<img class="community_icon_small rounded-circle" src="{{ post.community.icon_image('tiny') }}" alt="Community icon" />{% endif -%}
     c/{{ post.community.name }}</a>{% endif -%}
-    by {{ render_username(post.author, htmx_redirect_back_to=request.url + '#post_' + str(post.id)) }} <time datetime="{{ post.last_active }}" title="{{ post.last_active }}">{{ post.posted_at_localized(sort, locale) }}</time></span>
+    by {{ render_username(post.author, htmx_redirect_back_to=request.path + '#post_' + str(post.id)) }} <time datetime="{{ post.last_active }}" title="{{ post.last_active }}">{{ post.posted_at_localized(sort, locale) }}</time></span>
diff --git a/app/templates/user/user_preview.html b/app/templates/user/user_preview.html
index 69c01313..91614753 100644
--- a/app/templates/user/user_preview.html
+++ b/app/templates/user/user_preview.html
@@ -55,7 +55,7 @@
             </div>
             {% if current_user.is_authenticated -%}
                 <div class="col-auto text-center">
-                    <a href="{{ url_for('user.edit_user_note', actor=user.link(), return_to=return_to) }}" class="btn btn-secondary btn-sm">{{ _('Edit note') }}</a>
+                    <a href="{{ url_for('user.edit_user_note', actor=user.link(), return_to=return_to) }}" class="btn btn-primary btn-sm">{{ _('Edit note') }}</a>
                 </div>
             {% endif -%}
         </div>
diff --git a/app/user/routes.py b/app/user/routes.py
index fe327e22..50b7e08d 100644
--- a/app/user/routes.py
+++ b/app/user/routes.py
@@ -1346,7 +1346,9 @@ def user_read_posts_delete():
 @login_required
 def edit_user_note(actor):
     actor = actor.strip()
-    return_to = request.args.get('return_to')
+    return_to = request.args.get('return_to', '').strip()
+    if return_to.startswith('http'):
+        abort(401)
     if '@' in actor:
         user: User = User.query.filter_by(ap_id=actor, deleted=False).first()
     else: