Bug #7784
closedOpen redirection
0%
Description
GET /mentat/auth/login?next=https:%5C%5Cbxss.me HTTP/1.1
POST /mentat/users/5/update HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 250 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/125.0.0.0 Safari/537.36 Connection: Keep-alive csrf_token=IjA3ODI2YTVlZjhlYzU2MzUzNGJhMDNhYzE3OTU2ZGY2M2U1YTM5ZDki.ZuPhcA.H5oMlcq17Aoqq_e8yHQeSvxoro0&email=flab%40cesnet.cz&fullname=FLAB%20test&locale=cs&next=https:%5C%5Cbxss.me&organization=CESNET%20z.s.p.o.&submit=Submit&timezone=Africa/Abidjan
Related issues
Updated by Rajmund Hruška 2 months ago
- Status changed from New to In Progress
- Assignee set to Rajmund Hruška
Updated by Rajmund Hruška 2 months ago
The issue is in the code for checking if URL is safe:
def _is_safe_url(target):
"""
Check, if the URL is safe enough to be redirected to.
"""
if '\n' in target or '\r' in target:
return False
ref_url = urllib.parse.urlparse(flask.request.host_url)
test_url = urllib.parse.urlparse(urllib.parse.urljoin(flask.request.host_url, target))
return test_url.scheme in ('http', 'https') and \
ref_url.netloc == test_url.netloc
From the documentation of urllib
:
Following the syntax specifications in RFC 1808, urlparse recognizes a netloc only if it is properly introduced by ‘//’. Otherwise the input is presumed to be a relative URL and thus to start with a path component.
The question still is why https:\\bxss.me is a valid address.
Updated by Rajmund Hruška 2 months ago
What we could do to resolve this is to only allow relative addresses. We need to be sure that we don't use absolute ones though.
Updated by Rajmund Hruška 2 months ago
- Status changed from In Progress to Resolved
- Assignee set to Rajmund Hruška
- Target version changed from Backlog to 2.14
Updated by Pavel Kácha about 2 months ago
Rajmund Hruška wrote in #note-3:
What we could do to resolve this is to only allow relative addresses. We need to be sure that we don't use absolute ones though.
Or to also recognize correct absolute ones.
Also - wouldn't we want to be on the safe side and whitelist allowed characters instead of whack-a-moling potentially dangerous ones?
Updated by Rajmund Hruška 12 days ago
- Related to Task #7805: Restrict allowed redirect URLs to specific addresses added
Updated by Rajmund Hruška 12 days ago
Pavel Kácha wrote in #note-6:
Rajmund Hruška wrote in #note-3:
What we could do to resolve this is to only allow relative addresses. We need to be sure that we don't use absolute ones though.
Or to also recognize correct absolute ones.
Also - wouldn't we want to be on the safe side and whitelist allowed characters instead of whack-a-moling potentially dangerous ones?
Will be solved in #7805.