3diy
/
moonraker
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

app: don't allow open redirects in '/server/redirect' 

Validate that the URL argument against the `cors_domains` option.

Signed-off-by:  Eric Callahan <arksine.code@gmail.com>
This commit is contained in:
Eric Callahan 2022-01-28 14:05:48 -05:00
parent 41c19e4b9a
commit 9911b5c7dd
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
moonraker/app.py
View File

@ -919,4 +919,9 @@ class RedirectHandler(AuthorizedRequestHandler):
400, "No url argument provided") 400, "No url argument provided")
url = body_args['url'] url = body_args['url']
assert url is not None assert url is not None
# validate the url origin
auth: AuthComp = self.server.lookup_component('authorization', None)
if auth is None or not auth.check_cors(url.rstrip("/")):
raise tornado.web.HTTPError(
400, f"Unauthorized URL redirect: {url}")
self.redirect(url) self.redirect(url)