Make website character page redirect validate url to be more secure

2026-03-16 21:06:30 +01:00 · 2024-03-17 10:03:47 +01:00 · 2024-03-17 10:03:47 +01:00 · 23b9d06db5
commit 23b9d06db5
parent 138e21a94c
2 changed files with 14 additions and 8 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -37,7 +37,8 @@
  account (Griatch)
 - [Fix][issue4311]: SSH connection caused a traceback in protocol (Griatch)
 - Fix: Resolve a bug when loading on-demand-handler data from database (Griatch)
- Security: Potentially O(n2) regex exploit in rpsystem regex (Griatch)
+- Security: Potential O(n2) regex exploit in rpsystem regex (Griatch)
+- Security: Fix potential redirect vulnerability in character page redirect (Griatch)
 - Doc fixes (iLPdev, Griatch, CloudKeeper)

 [pull3420]: https://github.com/evennia/evennia/pull/3420
--- a/evennia/web/website/views/characters.py
+++ b/evennia/web/website/views/characters.py
@ -10,19 +10,16 @@ from django.contrib.auth.mixins import LoginRequiredMixin
 from django.db.models.functions import Lower
 from django.http import HttpResponseRedirect
 from django.urls import reverse_lazy
+from django.utils.encoding import iri_to_uri
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.views.generic import ListView
 from django.views.generic.base import RedirectView
-
 from evennia.utils import class_from_module
 from evennia.web.website import forms

 from .mixins import TypeclassMixin
-from .objects import (
-    ObjectCreateView,
-    ObjectDeleteView,
-    ObjectDetailView,
-    ObjectUpdateView,
-)
+from .objects import (ObjectCreateView, ObjectDeleteView, ObjectDetailView,
+                      ObjectUpdateView)


 class CharacterMixin(TypeclassMixin):
@ -125,6 +122,13 @@ class CharacterPuppetView(LoginRequiredMixin, CharacterMixin, RedirectView, Obje
        # Get the page the user came from
        next_page = self.request.GET.get("next", self.success_url)

+        # since next_page is untrusted input from the user, we need to check it's safe to
+        next_page = iri_to_uri(next_page)
+        if not url_has_allowed_host_and_scheme(url=next_page,
+                                               allowed_hosts={self.request.get_host()},
+                                               require_https=self.request.is_secure()):
+            next_page = self.success_url
+
        if char:
            # If the account owns the char, store the ID of the char in the
            # Django request's session (different from Evennia session!).
@ -136,6 +140,7 @@ class CharacterPuppetView(LoginRequiredMixin, CharacterMixin, RedirectView, Obje
            self.request.session["puppet"] = None
            messages.error(self.request, "You cannot become '%s'." % char)

+
        return next_page