Disallow external redirects

Author: ObserverOfTime

MangAdventure/__init__.py

@@ -1,5 +1,5 @@
 """A simple manga hosting CMS written in Django."""
 
 __license__ = 'MIT'
-__version__ = '0.9.3'
+__version__ = '0.9.4'
 __author__ = 'evangelos-ch, ObserverOfTime'

config/urls.py

@@ -31,6 +31,8 @@
     )
     if find_spec('debug_toolbar'):
         from debug_toolbar import urls as djdt_urls
-        urlpatterns.append(path('__debug__/', include(djdt_urls)))
+        urlpatterns.append(
+            path('__debug__/', include(djdt_urls))  # type: ignore
+        )
 
 __all__ = ['urlpatterns']

docs/changelog.rst

@@ -1,6 +1,12 @@
 Changelog
 ---------
 
+v0.9.4
+^^^^^^
+
+* Fixed error on invalid chapter redirect
+* Fixed external redirects being allowed
+
 v0.9.3
 ^^^^^^
 

docs/install.rst

@@ -41,7 +41,7 @@ Finally, install MangAdventure inside the activated virtualenv:
 
 .. code-block:: bash
 
-   pip install -e "git+https://github.com/mangadventure/MangAdventure@v0.9.3#egg=mangadventure"
+   pip install -e "git+https://github.com/mangadventure/MangAdventure@v0.9.4#egg=mangadventure"
 
 MangAdventure also provides the following extras:
 
@@ -55,7 +55,7 @@ For example, you can install ``csp`` & ``uwsgi`` like so:
 
 .. code-block:: bash
 
-   pip install -e "git+https://github.com/mangadventure/MangAdventure@v0.9.3#egg=mangadventure[csp,uwsgi]"
+   pip install -e "git+https://github.com/mangadventure/MangAdventure@v0.9.4#egg=mangadventure[csp,uwsgi]"
 
 .. _MySQL database support:
    https://mysql.com/

reader/models.py

@@ -577,7 +577,7 @@ def __str__(self) -> str:
         """
         # TODO: use removeprefix (Py3.9+)
         if not self.series:  # pragma: no cover
-            return Series.format.default.format(
+            return Series.format.default.format(  # type: ignore
                 title=self.title or 'N/A',
                 volume=self.volume or '?',
                 number=f'{self.number:g}',

users/adapters.py

@@ -5,6 +5,7 @@
 from typing import TYPE_CHECKING
 
 from allauth.account.adapter import DefaultAccountAdapter
+from allauth.account.utils import get_next_redirect_url
 from allauth.socialaccount.adapter import DefaultSocialAccountAdapter
 
 if TYPE_CHECKING:  # pragma: no cover
@@ -23,7 +24,7 @@ def get_login_redirect_url(self, request: HttpRequest) -> str:
 
         :return: The URL of the redirect.
         """
-        return request.GET.get('next', '/user')
+        return get_next_redirect_url(request) or '/user'
 
     def get_logout_redirect_url(self, request: HttpRequest) -> str:
         """
@@ -33,7 +34,7 @@ def get_logout_redirect_url(self, request: HttpRequest) -> str:
 
         :return: The URL of the redirect.
         """
-        return request.POST.get('next', '/')
+        return get_next_redirect_url(request) or '/'
 
 
 class SocialAccountAdapter(DefaultSocialAccountAdapter):
@@ -49,7 +50,7 @@ def get_connect_redirect_url(self, request: HttpRequest,
 
         :return: The URL of the redirect.
         """
-        return request.POST.get('next', '/user')
+        return get_next_redirect_url(request) or '/user'
 
 
 __all__ = ['AccountAdapter', 'SocialAccountAdapter']

users/tests/test_adapters.py

@@ -15,6 +15,8 @@ def setup_method(self):
         self.request.GET = {'next': self.next_url}
         self.request.POST = {'next': self.next_url}
         self.empty_request = HttpRequest()
+        self.external_request = HttpRequest()
+        self.external_request.GET = {'next': 'https://test.com'}
         self.adapter = AccountAdapter()
         self.social_adapter = SocialAccountAdapter()
 
@@ -28,6 +30,10 @@ def test_get_login_redirect_url_no_next(self):
         assert '/user' == self.adapter \
             .get_login_redirect_url(self.empty_request)
 
+    def test_get_login_redirect_url_external(self):
+        assert '/user' == self.adapter \
+            .get_login_redirect_url(self.external_request)
+
     def test_get_logout_redirect_url(self):
         assert self.next_url == self.adapter \
             .get_logout_redirect_url(self.request)
@@ -36,6 +42,10 @@ def test_get_logout_redirect_url_no_next(self):
         assert '/' == self.adapter \
             .get_logout_redirect_url(self.empty_request)
 
+    def test_get_logout_redirect_url_external(self):
+        assert '/' == self.adapter \
+            .get_logout_redirect_url(self.external_request)
+
 
 class TestSocialAccountAdapter(UserAdapterTestBase):
     def setup_method(self):
@@ -45,9 +55,16 @@ def setup_method(self):
         )
 
     def test_get_connect_redirect_url(self):
-        assert self.next_url == self.social_adapter \
-            .get_connect_redirect_url(self.request, self.social_account)
+        assert self.next_url == self.social_adapter.get_connect_redirect_url(
+            self.request, self.social_account
+        )
 
     def test_get_connect_redirect_url_no_next(self):
-        assert '/user' == self.social_adapter \
-            .get_connect_redirect_url(self.empty_request, self.social_account)
+        assert '/user' == self.social_adapter.get_connect_redirect_url(
+            self.empty_request, self.social_account
+        )
+
+    def test_get_connect_redirect_url_external(self):
+        assert '/user' == self.social_adapter.get_connect_redirect_url(
+            self.external_request, self.social_account
+        )