Disable covert redirects and CSRF token leaking

This disallows the url() function from returning any remote URLs. This prevents covert redirects, and also prevents us from leaking CSRF tokens to outside parties. Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
fedora-infra · May 5, 2017 · b27f38a · b27f38a
1 parent 6cf9094
commit b27f38a
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/fedora/tg/utils.py b/fedora/tg/utils.py
@@ -81,6 +81,11 @@ def url(tgpath, tgparams=None, **kwargs):
     '''
     if not isinstance(tgpath, six.string_types):
         tgpath = '/'.join(list(tgpath))
+    if not tgpath.startswith('/'):
+        # Do not allow the url() function to be used for external urls.
+        # This function is primarily used in redirect() calls, so this prevents
+        # covert redirects and thus CSRF leaking.
+        tgpath = '/'
     if tgpath.startswith('/'):
         webpath = (config.get('server.webpath') or '').rstrip('/')
         if tg_util.request_available():