Skip to content

fix: changes SAFE_REDIRECT_HOSTS to FAB_SAFE_REDIRECT_HOSTS #2335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dpgaspar merged 1 commit into from
Apr 17, 2025
Merged

fix: changes SAFE_REDIRECT_HOSTS to FAB_SAFE_REDIRECT_HOSTS #2335

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions docs/config.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -330,10 +330,14 @@ Use config.py to configure the following parameters. By default it will use SQLL
| | `generate_password_hash`_. | No |
| | Default: ``'scrypt'``. | |
+----------------------------------------+--------------------------------------------+-----------+
| FAB_SAFE_REDIRECT_HOSTS | A List[str] with allowed domains to check | |
| | when validating safe redirect | No |
+----------------------------------------+--------------------------------------------+-----------+
| FAB_PASSWORD_HASH_SALT_LENGTH | Sets the password hashing salt length. | No |
| | Default: ``16``. | |
+----------------------------------------+--------------------------------------------+-----------+


.. _generate_password_hash: https://werkzeug.palletsprojects.com/en/stable/utils/#werkzeug.security.generate_password_hash

Note
Expand Down
2 changes: 1 addition & 1 deletion flask_appbuilder/utils/base.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ def is_safe_redirect_url(url: str) -> bool:
scheme = "http"
valid_schemes = ["http", "https"]

safe_hosts = current_app.config.get("SAFE_REDIRECT_HOSTS", [])
safe_hosts = current_app.config.get("FAB_SAFE_REDIRECT_HOSTS", [])
if not safe_hosts:
safe_hosts = [urlparse(request.host_url).netloc]

Expand Down
6 changes: 3 additions & 3 deletions tests/security/test_mvc_security.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -249,7 +249,7 @@ def test_login_next_url_spoofed_host_header_disallowed(self):
"""
Ensure a spoofed Host header does not allow redirection to an untrusted domain
"""
self.app.config["SAFE_REDIRECT_HOSTS"] = ["localhost"] # trusted dev host
self.app.config["FAB_SAFE_REDIRECT_HOSTS"] = ["localhost"] # trusted dev host
self.browser_logout(self.client)

response = self.browser_login(
Expand All @@ -268,7 +268,7 @@ def test_login_next_url_spoofed_host_header_allowed_config(self):
"""
Ensure a spoofed Host header does not allow redirection to an untrusted domain
"""
self.app.config["SAFE_REDIRECT_HOSTS"] = ["localhost"] # trusted dev host
self.app.config["FAB_SAFE_REDIRECT_HOSTS"] = ["localhost"] # trusted dev host
self.browser_logout(self.client)

response = self.browser_login(
Expand All @@ -287,7 +287,7 @@ def test_login_next_url_allowed_config_wildcard(self):
"""
Ensure a spoofed Host header does not allow redirection to an untrusted domain
"""
self.app.config["SAFE_REDIRECT_HOSTS"] = ["*.localhost"] # trusted dev host
self.app.config["FAB_SAFE_REDIRECT_HOSTS"] = ["*.localhost"] # trusted dev host
self.browser_logout(self.client)

response = self.browser_login(
Expand Down