fix: next url targets

muhammad-ali-pk · muhammad-ali-pk · commit d72f10a2b320 · 2026-03-27T16:42:14.000+05:00
diff --git a/webapp/sso.py b/webapp/sso.py
@@ -1,6 +1,6 @@
 import functools
 import os
-from urllib.parse import urlparse
+from urllib.parse import urljoin, urlparse
 
 import flask
 from authlib.integrations.flask_client import OAuth
@@ -12,10 +12,27 @@
 LAUNCHPAD_API_URL = "https://api.launchpad.net/1.0"
 
 
-def _safe_redirect_url(target):
-    if target and urlparse(target).netloc == "":
-        return target
-    return "/manager"
+def is_safe_url(target):
+    # Ensure the target is not empty
+    if not target:
+        return False
+
+    # Get the root URL of your own application
+    ref_url = urlparse(flask.request.host_url)
+    test_url = urlparse(urljoin(flask.request.host_url, target))
+
+    # Check that the scheme is http/https and the netloc matches your host
+    return (
+        test_url.scheme in ("http", "https")
+        and ref_url.netloc == test_url.netloc
+    )
+
+
+def _safe_redirect():
+    target = flask.request.args.get("next")
+    if not is_safe_url(target):
+        target = "/manager"
+    return flask.redirect(target)
 
 
 def init_sso(app):
@@ -36,9 +53,7 @@ def init_sso(app):
     @app.route("/login")
     def login():
         if "openid" in flask.session:
-            return flask.redirect(
-                _safe_redirect_url(flask.request.args.get("next"))
-            )
+            return _safe_redirect()
 
         redirect_uri = flask.url_for("oauth_callback", _external=True)
         return oauth.canonical.authorize_redirect(redirect_uri)
@@ -77,10 +92,7 @@ def oauth_callback():
             "email": token["userinfo"]["email"],
             "fullname": token["userinfo"]["name"],
         }
-
-        return flask.redirect(
-            _safe_redirect_url(flask.request.args.get("next"))
-        )
+        return _safe_redirect()
 
 
 def login_required(func):
