Skip to content

Commit 734b4cd

Browse files
ihalaij1ihalaij1
committed
Fix URL redirection from remote source
Fixes #1518
1 parent 849a1b9 commit 734b4cd

2 files changed

Lines changed: 13 additions & 3 deletions

File tree

exercise/views.py

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@
1010
from django.utils.decorators import method_decorator
1111
from django.utils.translation import gettext_lazy as _, get_language
1212
from django.utils.text import format_lazy
13+
from django.utils.http import url_has_allowed_host_and_scheme
1314
from django.views.decorators.clickjacking import xframe_options_exempt
1415
from django.views.decorators.csrf import csrf_exempt
1516
from django.db import DatabaseError
@@ -62,7 +63,10 @@ def post(self, request, *args, **kwargs):
6263
SubmissionTagging.objects.create(submission=submission, tag=subtag)
6364

6465
# Redirect back to the previous page
65-
return redirect(request.headers.get('referer', '/'))
66+
referer = request.headers.get('referer', '/')
67+
if not url_has_allowed_host_and_scheme(url=referer, allowed_hosts={request.get_host()}):
68+
referer = '/'
69+
return redirect(referer)
6670

6771

6872
class SubmissionTaggingRemoveView(CourseInstanceBaseView):
@@ -80,7 +84,10 @@ def post(self, request, *args, **kwargs):
8084
SubmissionTagging.objects.filter(submission=submission, tag=subtag).delete()
8185

8286
# Redirect back to the previous page
83-
return redirect(request.headers.get('referer', '/'))
87+
referer = request.headers.get('referer', '/')
88+
if not url_has_allowed_host_and_scheme(url=referer, allowed_hosts={request.get_host()}):
89+
referer = '/'
90+
return redirect(referer)
8491

8592

8693
class ExerciseInfoView(ExerciseBaseView):

userprofile/views.py

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -368,4 +368,7 @@ class PseudonymizeView(BaseView):
368368
def get(self, request: HttpRequest) -> HttpResponse:
369369
pseudonymize = request.session.get("pseudonymize", False)
370370
request.session["pseudonymize"] = not pseudonymize
371-
return HttpResponseRedirect(request.headers.get("referer", "/"))
371+
referer = request.headers.get('referer', '/')
372+
if not url_has_allowed_host_and_scheme(url=referer, allowed_hosts={request.get_host()}):
373+
referer = '/'
374+
return HttpResponseRedirect(referer)

0 commit comments

Comments
 (0)