search

slugbucket / crossword-hints

Python Flask web application to aid decipherment of cryptic crossword clues for known setters
GNU General Public License v3.0
1 stars 0 forks source link

Prevent open redirects after successful login #12

Closed slugbucket closed 5 years ago

slugbucket commented 5 years ago

http://flask.pocoo.org/snippets/62/ describes a means by which the redirect URL is validated (to some degree) before completing the action.

slugbucket commented 5 years ago

Tracking as feature request feat0009

$ git flow feature start feat0009
slugbucket commented 5 years ago

Initial development completed

$ git add crossword_hints.db crossword_hints.py requirements.txt
$ git commit -m "feat0009 use urllib3 parse functions to check the safety of the forwarding next URL; include urllib3 in the requirements when building via virtualenv"
$ git push --set-upstream origin feature/feat0009

requirements.txt gets an update because in Python 3 there is no urlparse (as shown in the Flask snippet); the functionality has moved to the urllib3 library and this will be needed when building with virtualenv.

slugbucket commented 5 years ago

The feature should prevent the application being vulnerable to open redirects.

$ git flow feature finish feat0009
Switched to branch 'develop'
Your branch is up to date with 'origin/develop'.
Updating 2464c80..dc8eba0
Fast-forward
 crossword_hints.db | Bin 81920 -> 81920 bytes
 crossword_hints.py |  54 ++++++++++++++++++++++++++++++++++++++++++++++++++---
 requirements.txt   |   1 +
 3 files changed, 52 insertions(+), 3 deletions(-)
To github.com:slugbucket/crossword-hints.git
 - [deleted]         feature/feat0009
Deleted branch feature/feat0009 (was dc8eba0).

Summary of actions:
- The feature branch 'feature/feat0009' was merged into 'develop'
- Feature branch 'feature/feat0009' has been locally deleted; it has been remotely deleted from 'origin'
- You are now on branch 'develop'