NeoAnd/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-07-24 17:38:37 -06:00
Code Issues Actions 11 Packages Projects Releases Wiki Activity

Fixes #16702: Fix validation of return_url query parameter

Browse Source
This commit is contained in:
Jeremy Stretch 2024-06-24 11:52:35 -04:00
parent f4ac23d868
commit bfd023c6a9
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
netbox/utilities/views.py
View File

@ -4,6 +4,7 @@ from django.contrib.auth.mixins import AccessMixin
from django.core.exceptions import ImproperlyConfigured from django.core.exceptions import ImproperlyConfigured
from django.urls import reverse from django.urls import reverse
from django.urls.exceptions import NoReverseMatch from django.urls.exceptions import NoReverseMatch
from django.utils.http import url_has_allowed_host_and_scheme
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
from netbox.plugins import PluginConfig from netbox.plugins import PluginConfig
@ -123,7 +124,7 @@ class GetReturnURLMixin:
# First, see if `return_url` was specified as a query parameter or form data. Use this URL only if it's # First, see if `return_url` was specified as a query parameter or form data. Use this URL only if it's
# considered safe. # considered safe.
return_url = request.GET.get('return_url') or request.POST.get('return_url') return_url = request.GET.get('return_url') or request.POST.get('return_url')
if return_url and return_url.startswith('/'): if return_url and url_has_allowed_host_and_scheme(return_url, allowed_hosts=None):
return return_url return return_url
# Next, check if the object being modified (if any) has an absolute URL. # Next, check if the object being modified (if any) has an absolute URL.