Skip to content

F
flask-admin
Unverified Commit 8af10e0b authored by Serge S. Koval's avatar Serge S. Koval Committed by GitHub
Browse files
Options

Merge pull request #1699 from lbhsot/master 

refs #1503 fix reflected xss
parents 19397625 aca862f7
Hide whitespace changes
Inline Side-by-side
Showing with 21 additions and 2 deletions
flask_admin/helpers.py
View file @ 8af10e0b
from re import sub from re import sub, compile
from jinja2 import contextfunction from jinja2 import contextfunction
from flask import g, request, url_for, flash from flask import g, request, url_for, flash
from wtforms.validators import DataRequired, InputRequired from wtforms.validators import DataRequired, InputRequired
...@@ -9,6 +9,8 @@ from ._compat import string_types ...@@ -9,6 +9,8 @@ from ._compat import string_types
VALID_SCHEMES = ['http', 'https'] VALID_SCHEMES = ['http', 'https']
_substitute_whitespace = compile(r'[\s\x00-\x08\x0B\x0C\x0E-\x19]+').sub
_fix_multiple_slashes = compile(r'(^([^/]+:)?//)/*').sub
def set_current_view(view): def set_current_view(view):
...@@ -131,8 +133,18 @@ def prettify_class_name(name): ...@@ -131,8 +133,18 @@ def prettify_class_name(name):
def is_safe_url(target): def is_safe_url(target):
# prevent urls like "\\www.google.com"
# some browser will change \\ to // (eg: Chrome)
# refs https://stackoverflow.com/questions/10438008
target = target.replace('\\', '/')
# handle cases like "j a v a s c r i p t:"
target = _substitute_whitespace('', target)
# Chrome and FireFox "fix" more than two slashes into two after protocol
target = _fix_multiple_slashes(lambda m: m.group(1), target, 1)
# prevent urls starting with "javascript:" # prevent urls starting with "javascript:"
target = target.strip()
target_info = urlparse(target) target_info = urlparse(target)
target_scheme = target_info.scheme target_scheme = target_info.scheme
if target_scheme and target_scheme not in VALID_SCHEMES: if target_scheme and target_scheme not in VALID_SCHEMES:
......
flask_admin/tests/test_helpers.py
View file @ 8af10e0b
...@@ -11,7 +11,14 @@ def test_is_safe_url(): ...@@ -11,7 +11,14 @@ def test_is_safe_url():
assert helpers.is_safe_url('https://127.0.0.1/admin/car/') assert helpers.is_safe_url('https://127.0.0.1/admin/car/')
assert helpers.is_safe_url('/admin/car/') assert helpers.is_safe_url('/admin/car/')
assert helpers.is_safe_url('admin/car/') assert helpers.is_safe_url('admin/car/')
assert helpers.is_safe_url('http////www.google.com')
assert not helpers.is_safe_url('http://127.0.0.2/admin/car/') assert not helpers.is_safe_url('http://127.0.0.2/admin/car/')
assert not helpers.is_safe_url(' javascript:alert(document.domain)') assert not helpers.is_safe_url(' javascript:alert(document.domain)')
assert not helpers.is_safe_url('javascript:alert(document.domain)') assert not helpers.is_safe_url('javascript:alert(document.domain)')
assert not helpers.is_safe_url('javascrip\nt:alert(document.domain)')
assert not helpers.is_safe_url(r'\\www.google.com')
assert not helpers.is_safe_url(r'\\/www.google.com')
assert not helpers.is_safe_url('/////www.google.com')
assert not helpers.is_safe_url('http:///www.google.com')
assert not helpers.is_safe_url('https:////www.google.com')
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment