File tree Expand file tree Collapse file tree 1 file changed +11
-3
lines changed Expand file tree Collapse file tree 1 file changed +11
-3
lines changed Original file line number Diff line number Diff line change 66import io
77import base64
88from datetime import datetime
9-
9+ from urllib . parse import urlparse
1010auth_bp = Blueprint ('auth' , __name__ )
1111
1212@auth_bp .route ('/login' , methods = ['GET' , 'POST' ])
@@ -32,7 +32,11 @@ def login():
3232 login_user (user )
3333
3434 next_page = request .args .get ('next' )
35- return redirect (next_page ) if next_page else redirect (url_for ('index' ))
35+ if next_page :
36+ safe_next = next_page .replace ('\\ ' , '' )
37+ if not urlparse (safe_next ).netloc and not urlparse (safe_next ).scheme :
38+ return redirect (safe_next )
39+ return redirect (url_for ('index' ))
3640 else :
3741 flash ('Invalid 2FA code' , 'error' )
3842 # Show 2FA form again with username preserved
@@ -54,7 +58,11 @@ def login():
5458 login_user (user )
5559
5660 next_page = request .args .get ('next' )
57- return redirect (next_page ) if next_page else redirect (url_for ('index' ))
61+ if next_page :
62+ safe_next = next_page .replace ('\\ ' , '' )
63+ if not urlparse (safe_next ).netloc and not urlparse (safe_next ).scheme :
64+ return redirect (safe_next )
65+ return redirect (url_for ('index' ))
5866 else :
5967 flash ('Invalid username or password' , 'error' )
6068
You can’t perform that action at this time.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?v=4&size=40){kind=avatar}
0 commit comments