Re: [flask] Test if URL is local to current application
- From:
- Armin Ronacher
- Date:
- 2011-05-17 @ 11:35
Hi,
On 5/17/11 12:49 PM, Daniele Nicolodi wrote:
> in my application I redirect unauthorized errors to a login form passing
> along a 'next' argument used to bring back the user to the requested
> page upon a successful login.
Simple version:
from flask import request
from urlparse import urlparse, urljoin
def is_secure_url(url):
rv = urlparse(urljoin(request.host_url, url))
return rv.netloc == request.host
Regards,
Armin
Re: [flask] Test if URL is local to current application
- From:
- Alistair Roche
- Date:
- 2011-05-17 @ 11:18
Hi Daniele,
If the next parameter are taken to be relative by your application (as
in "http://localhost/?next=/index" takes you to
"http://localhost/index) then why are you worried about people passing
in arbitrary URLs? If I passed in 'http://google.com', your
application would just direct me to
"http://localhost/http://google.com", right?
And, assuming you've got your URLs set up right, that'd just throw a 404.
Cheers,
On 17 May 2011 11:49, Daniele Nicolodi <daniele@grinta.net> wrote:
> Hello,
>
> in my application I redirect unauthorized errors to a login form passing
> along a 'next' argument used to bring back the user to the requested
> page upon a successful login.
>
> I would like to prevent this mechanism to be exploited to redirect users
> to arbitrary URLs. Therefore I would like to check if the value for the
> 'next' parameter is URL relative to the current application.
>
> I'm already passing along URLs relative to the application root, but
> nothing prevents someone to forge a request with different 'next'
> parameters. I can check if the 'next' parameter value is not a relative
> URL, but handling URL encoding and all the other tricks that may be put
> in place is tricky.
>
> Does Flask provide any facility for doing so?
>
> Thank you. Cheers,
> --
> Daniele
>
--
-- Alistair