Bug #7784
closed
Added by Rajmund Hruška 3 months ago.
Updated 12 days ago.
Category:
Development - GUI
Description
GET /mentat/auth/login?next=https:%5C%5Cbxss.me HTTP/1.1
POST /mentat/users/5/update HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 250
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)Chrome/125.0.0.0 Safari/537.36
Connection: Keep-alive
csrf_token=IjA3ODI2YTVlZjhlYzU2MzUzNGJhMDNhYzE3OTU2ZGY2M2U1YTM5ZDki.ZuPhcA.H5oMlcq17Aoqq_e8yHQeSvxoro0&email=flab%40cesnet.cz&fullname=FLAB%20test&locale=cs&next=https:%5C%5Cbxss.me&organization=CESNET%20z.s.p.o.&submit=Submit&timezone=Africa/Abidjan
- Status changed from New to In Progress
- Assignee set to Rajmund Hruška
The issue is in the code for checking if URL is safe:
def _is_safe_url(target):
"""
Check, if the URL is safe enough to be redirected to.
"""
if '\n' in target or '\r' in target:
return False
ref_url = urllib.parse.urlparse(flask.request.host_url)
test_url = urllib.parse.urlparse(urllib.parse.urljoin(flask.request.host_url, target))
return test_url.scheme in ('http', 'https') and \
ref_url.netloc == test_url.netloc
From the documentation of urllib
:
Following the syntax specifications in RFC 1808, urlparse recognizes a netloc only if it is properly introduced by ‘//’. Otherwise the input is presumed to be a relative URL and thus to start with a path component.
The question still is why https:\\bxss.me is a valid address.
What we could do to resolve this is to only allow relative addresses. We need to be sure that we don't use absolute ones though.
- Assignee deleted (
Rajmund Hruška)
- Status changed from In Progress to Resolved
- Assignee set to Rajmund Hruška
- Target version changed from Backlog to 2.14
Rajmund Hruška wrote in #note-3:
What we could do to resolve this is to only allow relative addresses. We need to be sure that we don't use absolute ones though.
Or to also recognize correct absolute ones.
Also - wouldn't we want to be on the safe side and whitelist allowed characters instead of whack-a-moling potentially dangerous ones?
- Related to Task #7805: Restrict allowed redirect URLs to specific addresses added
- Status changed from Resolved to Closed
Pavel Kácha wrote in #note-6:
Rajmund Hruška wrote in #note-3:
What we could do to resolve this is to only allow relative addresses. We need to be sure that we don't use absolute ones though.
Or to also recognize correct absolute ones.
Also - wouldn't we want to be on the safe side and whitelist allowed characters instead of whack-a-moling potentially dangerous ones?
Will be solved in #7805.
Also available in: Atom
PDF