Project

General

Profile

Actions

Bug #7784

closed

Open redirection

Added by Rajmund Hruška 3 months ago. Updated 12 days ago.

Status:
Closed
Priority:
Normal
Category:
Development - GUI
Target version:
Start date:
09/17/2024
Due date:
% Done:

0%

Estimated time:
To be discussed:
No

Description

GET /mentat/auth/login?next=https:%5C%5Cbxss.me HTTP/1.1
POST /mentat/users/5/update HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 250
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/125.0.0.0 Safari/537.36
Connection: Keep-alive

csrf_token=IjA3ODI2YTVlZjhlYzU2MzUzNGJhMDNhYzE3OTU2ZGY2M2U1YTM5ZDki.ZuPhcA.H5oMlcq17Aoqq_e8yHQeSvxoro0&email=flab%40cesnet.cz&fullname=FLAB%20test&locale=cs&next=https:%5C%5Cbxss.me&organization=CESNET%20z.s.p.o.&submit=Submit&timezone=Africa/Abidjan

Related issues

Related to Mentat - Task #7805: Restrict allowed redirect URLs to specific addressesNew11/27/2024

Actions
Actions #1

Updated by Rajmund Hruška 2 months ago

  • Status changed from New to In Progress
  • Assignee set to Rajmund Hruška
Actions #2

Updated by Rajmund Hruška 2 months ago

The issue is in the code for checking if URL is safe:

def _is_safe_url(target):
    """ 
    Check, if the URL is safe enough to be redirected to.
    """ 
    if '\n' in target or '\r' in target:
        return False

    ref_url = urllib.parse.urlparse(flask.request.host_url)
    test_url = urllib.parse.urlparse(urllib.parse.urljoin(flask.request.host_url, target))
    return test_url.scheme in ('http', 'https') and \
           ref_url.netloc == test_url.netloc

From the documentation of urllib:

Following the syntax specifications in RFC 1808, urlparse recognizes a netloc only if it is properly introduced by ‘//’. Otherwise the input is presumed to be a relative URL and thus to start with a path component.

The question still is why https:\\bxss.me is a valid address.

Actions #3

Updated by Rajmund Hruška 2 months ago

What we could do to resolve this is to only allow relative addresses. We need to be sure that we don't use absolute ones though.

Actions #4

Updated by Rajmund Hruška 2 months ago

  • Assignee deleted (Rajmund Hruška)
Actions #5

Updated by Rajmund Hruška 2 months ago

  • Status changed from In Progress to Resolved
  • Assignee set to Rajmund Hruška
  • Target version changed from Backlog to 2.14
Actions #6

Updated by Pavel Kácha about 2 months ago

Rajmund Hruška wrote in #note-3:

What we could do to resolve this is to only allow relative addresses. We need to be sure that we don't use absolute ones though.

Or to also recognize correct absolute ones.

Also - wouldn't we want to be on the safe side and whitelist allowed characters instead of whack-a-moling potentially dangerous ones?

Actions #7

Updated by Rajmund Hruška 12 days ago

  • Related to Task #7805: Restrict allowed redirect URLs to specific addresses added
Actions #8

Updated by Rajmund Hruška 12 days ago

  • Status changed from Resolved to Closed
Actions #9

Updated by Rajmund Hruška 12 days ago

Pavel Kácha wrote in #note-6:

Rajmund Hruška wrote in #note-3:

What we could do to resolve this is to only allow relative addresses. We need to be sure that we don't use absolute ones though.

Or to also recognize correct absolute ones.

Also - wouldn't we want to be on the safe side and whitelist allowed characters instead of whack-a-moling potentially dangerous ones?

Will be solved in #7805.

Actions

Also available in: Atom PDF