NeoAnd/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-07-22 12:06:53 -06:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Remove dependency on is_safe_url()

Browse Source
This commit is contained in:
jeremystretch 2022-02-01 13:31:53 -05:00
parent 7611cfddae
commit 630ff2abb4
3 changed files with 15 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
netbox/netbox/views/generic/object_views.py
View File

@ -9,7 +9,6 @@ from django.forms.widgets import HiddenInput
from django.shortcuts import redirect, render from django.shortcuts import redirect, render
from django.urls import reverse from django.urls import reverse
from django.utils.html import escape from django.utils.html import escape
from django.utils.http import is_safe_url
from django.utils.safestring import mark_safe from django.utils.safestring import mark_safe
from extras.signals import clear_webhooks from extras.signals import clear_webhooks
@ -259,9 +258,7 @@ class ObjectImportView(GetReturnURLMixin, BaseObjectView):
if '_addanother' in request.POST: if '_addanother' in request.POST:
return redirect(request.get_full_path()) return redirect(request.get_full_path())
return_url = form.cleaned_data.get('return_url') self.get_return_url(request, obj)
if return_url is not None and is_safe_url(url=return_url, allowed_hosts=request.get_host()):
return redirect(return_url)
return redirect(self.get_return_url(request, obj)) return redirect(self.get_return_url(request, obj))
else: else:
@ -507,10 +504,9 @@ class ObjectDeleteView(GetReturnURLMixin, BaseObjectView):
messages.success(request, msg) messages.success(request, msg)
return_url = form.cleaned_data.get('return_url') return_url = form.cleaned_data.get('return_url')
if return_url is not None and is_safe_url(url=return_url, allowed_hosts=request.get_host()): if return_url and return_url.startswith('/'):
return redirect(return_url) return redirect(return_url)
else: return redirect(self.get_return_url(request, obj))
return redirect(self.get_return_url(request, obj))
else: else:
logger.debug("Form validation failed") logger.debug("Form validation failed")

19
netbox/users/views.py
View File

@ -10,7 +10,6 @@ from django.http import HttpResponseRedirect
from django.shortcuts import get_object_or_404, redirect, render from django.shortcuts import get_object_or_404, redirect, render
from django.urls import reverse from django.urls import reverse
from django.utils.decorators import method_decorator from django.utils.decorators import method_decorator
from django.utils.http import is_safe_url
from django.views.decorators.debug import sensitive_post_parameters from django.views.decorators.debug import sensitive_post_parameters
from django.views.generic import View from django.views.generic import View
from social_core.backends.utils import load_backends from social_core.backends.utils import load_backends
@ -78,17 +77,17 @@ class LoginView(View):
}) })
def redirect_to_next(self, request, logger): def redirect_to_next(self, request, logger):
if request.method == "POST": data = request.POST if request.method == "POST" else request.GET
redirect_to = request.POST.get('next', settings.LOGIN_REDIRECT_URL) redirect_url = data.get('next', settings.LOGIN_REDIRECT_URL)
if redirect_url and redirect_url.startswith('/'):
logger.debug(f"Redirecting user to {redirect_url}")
else: else:
redirect_to = request.GET.get('next', settings.LOGIN_REDIRECT_URL) if redirect_url:
logger.warning(f"Ignoring unsafe 'next' URL passed to login form: {redirect_url}")
redirect_url = reverse('home')
if redirect_to and not is_safe_url(url=redirect_to, allowed_hosts=request.get_host()): return HttpResponseRedirect(redirect_url)
logger.warning(f"Ignoring unsafe 'next' URL passed to login form: {redirect_to}")
redirect_to = reverse('home')
logger.debug(f"Redirecting user to {redirect_to}")
return HttpResponseRedirect(redirect_to)
class LogoutView(View): class LogoutView(View):

9
netbox/utilities/views.py
View File

@ -1,10 +1,7 @@
from django.contrib.auth.mixins import AccessMixin from django.contrib.auth.mixins import AccessMixin
from django.core.exceptions import ImproperlyConfigured from django.core.exceptions import ImproperlyConfigured
from django.shortcuts import get_object_or_404, redirect
from django.urls import reverse from django.urls import reverse
from django.urls.exceptions import NoReverseMatch from django.urls.exceptions import NoReverseMatch
from django.utils.http import is_safe_url
from django.views.generic import View
from .permissions import resolve_permission from .permissions import resolve_permission
@ -103,9 +100,9 @@ class GetReturnURLMixin:
# First, see if `return_url` was specified as a query parameter or form data. Use this URL only if it's # First, see if `return_url` was specified as a query parameter or form data. Use this URL only if it's
# considered safe. # considered safe.
query_param = request.GET.get('return_url') or request.POST.get('return_url') return_url = request.GET.get('return_url') or request.POST.get('return_url')
if query_param and is_safe_url(url=query_param, allowed_hosts=request.get_host()): if return_url and return_url.startswith('/'):
return query_param return return_url
# Next, check if the object being modified (if any) has an absolute URL. # Next, check if the object being modified (if any) has an absolute URL.
if obj is not None and obj.pk and hasattr(obj, 'get_absolute_url'): if obj is not None and obj.pk and hasattr(obj, 'get_absolute_url'):