michael/pyfedi
1
0
Fork 0
mirror of https://codeberg.org/rimu/pyfedi synced 2025-01-23 19:36:56 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

avoid security issue of unvalidated redirections #421

Browse source 
https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/11-Client_Side_Testing/04-Testing_for_Client_Side_URL_Redirect
This commit is contained in:
rimu 2025-01-16 16:58:15 +13:00
parent 192b6470f7
commit 468a083dfa
5 changed files with 9 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/templates/post/_post_full.html
View file

@ -17,7 +17,7 @@
<div>{% if post.reports > 0 and current_user.is_authenticated and post.community.is_moderator(current_user) -%} <div>{% if post.reports > 0 and current_user.is_authenticated and post.community.is_moderator(current_user) -%}
<span class="red fe fe-report" title="{{ _('Reported. Check post for issues.') }}"></span> <span class="red fe fe-report" title="{{ _('Reported. Check post for issues.') }}"></span>
{% endif -%}<small>submitted <time datetime="{{ arrow.get(post.posted_at).format('YYYY-MM-DD HH:mm:ss ZZ') }}" title="{{ arrow.get(post.posted_at).format('YYYY-MM-DD HH:mm:ss ZZ') }}">{{ arrow.get(post.posted_at).humanize(locale=locale) }}</time> by {% endif -%}<small>submitted <time datetime="{{ arrow.get(post.posted_at).format('YYYY-MM-DD HH:mm:ss ZZ') }}" title="{{ arrow.get(post.posted_at).format('YYYY-MM-DD HH:mm:ss ZZ') }}">{{ arrow.get(post.posted_at).humanize(locale=locale) }}</time> by
{{ render_username(post.author, htmx_redirect_back_to=request.url) }} {{ render_username(post.author, htmx_redirect_back_to=request.path) }}
{% if post.edited_at -%} edited <time datetime="{{ arrow.get(post.posted_at).format('YYYY-MM-DD HH:mm:ss ZZ') }}" title="{{ arrow.get(post.posted_at).format('YYYY-MM-DD HH:mm:ss ZZ') }}">{{ arrow.get(post.edited_at).humanize(locale=locale) }}</time>{% endif -%}</small> {% if post.edited_at -%} edited <time datetime="{{ arrow.get(post.posted_at).format('YYYY-MM-DD HH:mm:ss ZZ') }}" title="{{ arrow.get(post.posted_at).format('YYYY-MM-DD HH:mm:ss ZZ') }}">{{ arrow.get(post.edited_at).humanize(locale=locale) }}</time>{% endif -%}</small>
</div> </div>
{% if post.type == POST_TYPE_IMAGE -%} {% if post.type == POST_TYPE_IMAGE -%}

6
app/templates/post/_post_reply_teaser.html
View file

@ -28,7 +28,7 @@
<div class="row"> <div class="row">
<div class="col-auto comment_author"> <div class="col-auto comment_author">
<span class="visually-hidden">by</span> <span class="visually-hidden">by</span>
{{ render_username(post_reply.author, htmx_redirect_back_to=request.url + '#comment_' + str(post_reply.id)) }} {{ render_username(post_reply.author, htmx_redirect_back_to=request.path + '#comment_' + str(post_reply.id)) }}
{% if post_reply.author.id == post_reply.post.author.id -%} {% if post_reply.author.id == post_reply.post.author.id -%}
<span title="Submitter of original post" aria-label="{{ _('Post creator') }}" class="small"> [OP]</span> <span title="Submitter of original post" aria-label="{{ _('Post creator') }}" class="small"> [OP]</span>
{% endif -%} {% endif -%}
@ -55,9 +55,9 @@
<div class="col-12"> <div class="col-12">
{% if post_reply.deleted and not show_deleted -%} {% if post_reply.deleted and not show_deleted -%}
{% if post_reply.deleted_by is none or post_reply.deleted_by != post_reply.user_id -%} {% if post_reply.deleted_by is none or post_reply.deleted_by != post_reply.user_id -%}
<p>Deleted by moderator</p> <p>{{ _('Deleted by moderator') }}</p>
{% else -%} {% else -%}
<p>Deleted by author</p> <p>{{ _('Deleted by author') }}</p>
{% endif -%} {% endif -%}
{% else -%} {% else -%}
{{ post_reply.body_html | community_links | person_links | safe }} {{ post_reply.body_html | community_links | person_links | safe }}

2
app/templates/post/post_teaser/_title.html
View file

@ -28,4 +28,4 @@
<span class="author small">{% if show_post_community -%}<a href="/c/{{ post.community.link() }}" aria-label="{{ _('Go to community %(name)s', name=post.community.name) }}"> <span class="author small">{% if show_post_community -%}<a href="/c/{{ post.community.link() }}" aria-label="{{ _('Go to community %(name)s', name=post.community.name) }}">
{% if post.community.icon_id and not low_bandwidth %}<img class="community_icon_small rounded-circle" src="{{ post.community.icon_image('tiny') }}" alt="Community icon" />{% endif -%} {% if post.community.icon_id and not low_bandwidth %}<img class="community_icon_small rounded-circle" src="{{ post.community.icon_image('tiny') }}" alt="Community icon" />{% endif -%}
c/{{ post.community.name }}</a>{% endif -%} c/{{ post.community.name }}</a>{% endif -%}
by {{ render_username(post.author, htmx_redirect_back_to=request.url + '#post_' + str(post.id)) }} <time datetime="{{ post.last_active }}" title="{{ post.last_active }}">{{ post.posted_at_localized(sort, locale) }}</time></span> by {{ render_username(post.author, htmx_redirect_back_to=request.path + '#post_' + str(post.id)) }} <time datetime="{{ post.last_active }}" title="{{ post.last_active }}">{{ post.posted_at_localized(sort, locale) }}</time></span>

2
app/templates/user/user_preview.html
View file

@ -55,7 +55,7 @@
</div> </div>
{% if current_user.is_authenticated -%} {% if current_user.is_authenticated -%}
<div class="col-auto text-center"> <div class="col-auto text-center">
<a href="{{ url_for('user.edit_user_note', actor=user.link(), return_to=return_to) }}" class="btn btn-secondary btn-sm">{{ _('Edit note') }}</a> <a href="{{ url_for('user.edit_user_note', actor=user.link(), return_to=return_to) }}" class="btn btn-primary btn-sm">{{ _('Edit note') }}</a>
</div> </div>
{% endif -%} {% endif -%}
</div> </div>

4
app/user/routes.py
View file

@ -1346,7 +1346,9 @@ def user_read_posts_delete():
@login_required @login_required
def edit_user_note(actor): def edit_user_note(actor):
actor = actor.strip() actor = actor.strip()
return_to = request.args.get('return_to') return_to = request.args.get('return_to', '').strip()
if return_to.startswith('http'):
abort(401)
if '@' in actor: if '@' in actor:
user: User = User.query.filter_by(ap_id=actor, deleted=False).first() user: User = User.query.filter_by(ap_id=actor, deleted=False).first()
else: else: