Skip to content

Commit

Permalink
fix(sec): fix unverified open redirect (#51)
Browse files Browse the repository at this point in the history 
chore: upgrade weasyprint
  • Loading branch information
@rmoesbergen
rmoesbergen authored Jan 12, 2024
1 parent aecae53 commit f42a9c1
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 16 deletions.
11 changes: 11 additions & 0 deletions LedenAdministratie/utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@

from django.core.mail import EmailMessage
from django.http.request import HttpRequest
from django.shortcuts import reverse
from oauth2_provider.models import AccessToken
from urllib.parse import urlparse

from LedenAdministratie.models import Setting

Expand Down Expand Up @@ -42,3 +44,12 @@ def get_access_token(request: HttpRequest) -> Optional[AccessToken]:
except AccessToken.DoesNotExist:
return None
return token

@staticmethod
def get_safe_return_url(request: HttpRequest) -> str:
if url := request.META.get("HTTP_REFERER", ""):
print(f"REFER: {url}")
path = urlparse(url).path
if path.startswith("/"):
return path
return reverse("members")
18 changes: 3 additions & 15 deletions LedenAdministratie/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -166,11 +166,7 @@ class MemberDeleteNoteView(OTPRequiredMixin, PermissionRequiredMixin, View):
def get(self, request, *args, **kwargs):
note = Note.objects.get(pk=kwargs["pk"])
note.delete()
if "HTTP_REFERER" in request.META:
url = request.META["HTTP_REFERER"]
else:
url = reverse("members")
return HttpResponseRedirect(url)
return HttpResponseRedirect(Utils.get_safe_return_url(request))


class MemberEditNoteView(OTPRequiredMixin, PermissionRequiredMixin, UpdateView):
Expand Down Expand Up @@ -267,11 +263,7 @@ class InvoiceDeleteView(OTPRequiredMixin, PermissionRequiredMixin, View):
def get(self, request, *args, **kwargs):
invoice = Invoice.objects.get(pk=kwargs["pk"])
invoice.delete()
if "HTTP_REFERER" in request.META:
url = request.META["HTTP_REFERER"]
else:
url = reverse("members")
return HttpResponseRedirect(url)
return HttpResponseRedirect(Utils.get_safe_return_url(request))


class InvoicePaymentView(OTPRequiredMixin, PermissionRequiredMixin, ListView):
Expand Down Expand Up @@ -524,8 +516,4 @@ class StripcardDeleteView(OTPRequiredMixin, PermissionRequiredMixin, View):
def get(self, request, *args, **kwargs):
stripcard = Stripcard.objects.get(pk=kwargs["pk"])
stripcard.delete()
if "HTTP_REFERER" in request.META:
url = request.META["HTTP_REFERER"]
else:
url = reverse("members")
return HttpResponseRedirect(url)
return HttpResponseRedirect(Utils.get_safe_return_url(request))
2 changes: 1 addition & 1 deletion requirements.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,5 @@ Pillow==10.2.0
python-dateutil==2.8.2
requests==2.31.0
requests-oauthlib==1.3.1
weasyprint==58.1
weasyprint==60.2
django-two-factor-auth[phonenumberslite,webauthn]==1.15.5

0 comments on commit f42a9c1

Please sign in to comment.