Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix open redirect with backslash URL #94

Merged
merged 5 commits into from
Oct 29, 2024
Merged

Fix open redirect with backslash URL #94

merged 5 commits into from
Oct 29, 2024

Conversation

GauthierGitHub
Copy link
Contributor

@GauthierGitHub GauthierGitHub commented Oct 29, 2024
edited
Loading

The goal of this PR is to disallow open redirect for URLs formed with backslashes.
Example:

  • https://<indico-base-url>/register/?next=https:\\evil.com
  • https://<indico-base-url>/register/?next=https:\evil.com

@ThiefMaster
Copy link
Member

WTF. Why do browsers convert backslashes to forward slashes instead of rejecting such nonsense?!

ThiefMaster
ThiefMaster reviewed Oct 29, 2024
View reviewed changes
tests/test_core.py Outdated Show resolved Hide resolved
@ThiefMaster
Copy link
Member

Looks like \/example.com can also be abused since browsers seem to take any backslashes and turn them into forward slashes...

@GauthierGitHub
Copy link
Contributor Author

GauthierGitHub commented Oct 29, 2024
edited by ThiefMaster
Loading

Looks like \/example.com can also be abused since browsers seem to take any backslashes and turn them into forward slashes...

Indeed well checked, simple backslash surprised me also.

@ThiefMaster
Copy link
Member

I pushed a commit that should fix all those cases. Please have another look before I merge it :)

GauthierGitHub
GauthierGitHub commented Oct 29, 2024
View reviewed changes
flask_multipass/core.py
# Browsers treat backslashes like forward slashes, while urllib doesn't.
# Since we just want to validate scheme and netloc here, we normalize
# slashes to those recognized by urllib.
url_info = urlsplit(url.replace('\\', '/'))
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if there are cases where the backslash has a function like in older/unusual browsers (e.g. some Japanese institutions still use Internet Explorer :( ).
So I didn't use replace() but yes it seems logical.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At least in case of Indico there aren't any cases where we'd ever expect backslashes in the next URL, and I'd expect anything else using this library to not do so either.

PS: Indico no longer supports IE for many years now, so if things there break even more, so be it. :)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ahah wise decision 👍

@ThiefMaster ThiefMaster merged commit 9b56208 into indico:master Oct 29, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ThiefMaster ThiefMaster ThiefMaster left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@GauthierGitHub @ThiefMaster