Fixed #442. Do not allow redirects to external sites from create/edit/delete model views

49850f94 · Serge S. Koval · 6cf9b937 · 49850f94 · 49850f94 · 49850f94
Commit 49850f94 authored Jan 15, 2014 by Serge S. Koval
Show whitespace changes
Inline Side-by-side

Showing with 43 additions and 4 deletions

helpers.py flask_admin/helpers.py +16 -0

base.py flask_admin/model/base.py +4 -4

test_basic.py flask_admin/tests/sqlamodel/test_basic.py +23 -0

No files found.
--- a/flask_admin/helpers.py
+++ b/flask_admin/helpers.py
 from re import sub
+from urlparse import urlparse, urljoin
 from jinja2 import contextfunction
 from flask import g, request
 from wtforms.validators import DataRequired, InputRequired

+
 from ._compat import string_types


@@ -96,3 +98,17 @@ def prettify_class_name(name):
            String to split
    """
    return sub(r'(?<=.)([A-Z])', r' \1', name)
+
+
+def is_safe_url(target):
+    ref_url = urlparse(request.host_url)
+    test_url = urlparse(urljoin(request.host_url, target))
+    return (test_url.scheme in ('http', 'https') and
+            ref_url.netloc == test_url.netloc)
+
+
+def get_redirect_target(param_name='url'):
+    target = request.values.get(param_name)
+
+    if target and is_safe_url(target):
+        return target
--- a/flask_admin/model/base.py
+++ b/flask_admin/model/base.py
@@ -10,7 +10,7 @@ from flask.ext.admin.base import BaseView, expose
 from flask.ext.admin.form import BaseForm, FormOpts, rules
 from flask.ext.admin.model import filters, typefmt
 from flask.ext.admin.actions import ActionsMixin
-from flask.ext.admin.helpers import get_form_data, validate_form_on_submit
+from flask.ext.admin.helpers import get_form_data, validate_form_on_submit, get_redirect_target
 from flask.ext.admin.tools import rec_getattr
 from flask.ext.admin._backwards import ObsoleteAttr
 from flask.ext.admin._compat import iteritems, as_unicode
@@ -1200,7 +1200,7 @@ class BaseModelView(BaseView, ActionsMixin):
        """
            Create model view
        """
-        return_url = request.args.get('url') or url_for('.index_view')
+        return_url = get_redirect_target() or url_for('.index_view')

        if not self.can_create:
            return redirect(return_url)
@@ -1228,7 +1228,7 @@ class BaseModelView(BaseView, ActionsMixin):
        """
            Edit model view
        """
-        return_url = request.args.get('url') or url_for('.index_view')
+        return_url = get_redirect_target() or url_for('.index_view')

        if not self.can_edit:
            return redirect(return_url)
@@ -1266,7 +1266,7 @@ class BaseModelView(BaseView, ActionsMixin):
        """
            Delete model view. Only POST method is allowed.
        """
-        return_url = request.args.get('url') or url_for('.index_view')
+        return_url = get_redirect_target() or url_for('.index_view')

        # TODO: Use post
        if not self.can_delete:

--- a/flask_admin/tests/sqlamodel/test_basic.py
+++ b/flask_admin/tests/sqlamodel/test_basic.py
@@ -840,3 +840,26 @@ def test_ajax_fk_multi():
    ok_(mdl is not None)
    ok_(mdl.model1 is not None)
    eq_(len(mdl.model1), 1)
+
+
+def test_safe_redirect():
+    app, db, admin = setup()
+    Model1, _ = create_models(db)
+    db.create_all()
+
+    view = CustomModelView(Model1, db.session)
+    admin.add_view(view)
+
+    client = app.test_client()
+
+    rv = client.post('/admin/model1view/new/?url=http://localhost/admin/model2view/',
+                     data=dict(test1='test1large', test2='test2'))
+
+    eq_(rv.status_code, 302)
+    eq_(rv.location, 'http://localhost/admin/model2view/')
+
+    rv = client.post('/admin/model1view/new/?url=http://google.com/evil/',
+                     data=dict(test1='test1large', test2='test2'))
+
+    eq_(rv.status_code, 302)
+    eq_(rv.location, 'http://localhost/admin/model1view/')