ichniow1
commented
7 years ago need an example of context for a call to is_safe_url(target), just get errors any time I try to invoke it from inside of test
Open alexander-bauer opened 7 years ago
ichniow1
commented
7 years ago need an example of context for a call to is_safe_url(target), just get errors any time I try to invoke it from inside of test
alexander-bauer
commented
7 years ago @ichniow1 You probably can't call the function directly with the context that's available from the test app, which is a problem if we want to write unit tests. I think it's too late in the game for those to be worthwhile, so I'm advocating integration tests. Rather than testing is_safe_url send a valid login to /login with your redirectto information set to some other domain, like https://google.com. If is_safe_url works, it will not redirect you there, but instead send you back to the front page of the app.
ichniow1
commented
7 years ago yeah... yet to make any real progress here.
A common exploit is sending users to legitimate login forms, and then redirect from them to a malicious site. We need to ensure that our
is_safe_url()function incollegejump/forms.pycorrectly refuses to redirect to URLs that are not the same as our site.