From 7de5c530c0b6de9a39d79235eeebf8e4f9443f82 Mon Sep 17 00:00:00 2001 From: Xavier Fernandez Date: Fri, 31 Jan 2025 14:37:19 +0100 Subject: [PATCH] security: properly retrieve next/previous/redirect urls --- itou/openid_connect/pro_connect/views.py | 6 +++--- itou/www/login/views.py | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/itou/openid_connect/pro_connect/views.py b/itou/openid_connect/pro_connect/views.py index 226f0bae9b..5976d04548 100644 --- a/itou/openid_connect/pro_connect/views.py +++ b/itou/openid_connect/pro_connect/views.py @@ -24,7 +24,7 @@ from itou.users.models import User from itou.utils import constants as global_constants from itou.utils.constants import ITOU_HELP_CENTER_URL -from itou.utils.urls import add_url_params, get_absolute_url +from itou.utils.urls import add_url_params, get_absolute_url, get_safe_url from itou.www.invitations_views.helpers import accept_all_pending_invitations @@ -105,7 +105,7 @@ def _add_user_kind_error_message(request, existing_user, new_user_kind): def pro_connect_authorize(request): # Start a new session. user_kind = request.GET.get("user_kind") - previous_url = request.GET.get("previous_url", reverse("search:employers_home")) + previous_url = get_safe_url(request, "previous_url", fallback_url=reverse("search:employers_home")) next_url = request.GET.get("next_url") if next_url and not url_has_allowed_host_and_scheme(next_url, settings.ALLOWED_HOSTS, request.is_secure()): return _redirect_to_login_page_on_error(error_msg="Forbidden external url") @@ -305,7 +305,7 @@ def pro_connect_callback(request): def pro_connect_logout(request): token = request.GET.get("token") post_logout_redirect_url = reverse("pro_connect:logout_callback") - redirect_url = request.GET.get("redirect_url", reverse("search:employers_home")) + redirect_url = get_safe_url(request, "redirect_url", fallback_url=reverse("search:employers_home")) # Fallback on session data. if not token: diff --git a/itou/www/login/views.py b/itou/www/login/views.py index 2507876313..2064599bca 100644 --- a/itou/www/login/views.py +++ b/itou/www/login/views.py @@ -60,7 +60,7 @@ def get_context_data(self, **kwargs): return context | extra_context def dispatch(self, request, *args, **kwargs): - if next_url := request.GET.get("next"): + if next_url := get_safe_url(request, "next"): if get_url_param_value(next_url, "channel") == ProConnectChannel.MAP_CONSEILLER: params = { "user_kind": UserKind.PRESCRIBER,