def get_redirect_after_favorite_operation():
next_url = request.form.get('next')
if next_url:
decoded_next_url = urllib.parse.unquote(next_url)
if util.is_decoded_url_safe(decoded_next_url):
return redirect(decoded_next_url)
else:
return 'invalid next_url', 400
else:
return redirect(url_for('user.favorites_list'))
def test_is_decoded_url_safe(self):
# relative url without domain name
url = '/entreprises/metz-57000/boucherie?sort=score&d=10&h=1&p=0'
self.assertTrue(util.is_decoded_url_safe(url))
# Any absolute url including a domain name should be rejected.
# correct domain name - https
url = 'https://labonneboite.pole-emploi.fr/entreprises/metz-57000/boucherie?sort=score&d=10&h=1&p=0'
self.assertFalse(util.is_decoded_url_safe(url))
# correct domain name - http
url = 'http://labonneboite.pole-emploi.fr/entreprises/metz-57000/boucherie?sort=score&d=10&h=1&p=0'
self.assertFalse(util.is_decoded_url_safe(url))
# wrong domain name
url = 'http://localhost:8090/entreprises/metz-57000/boucherie?sort=score&d=10&h=1&p=0'
self.assertFalse(util.is_decoded_url_safe(url))
# wrong domain name
url = 'http://labonneboite1.beta.pole-emploi.fr/entreprises/metz-57000/boucherie?sort=score&d=10&h=1&p=0'
self.assertFalse(util.is_decoded_url_safe(url))
# hacking attempt
url = 'http://www.doingbadthingsisbad.com/entreprises/metz-57000/boucherie?sort=score&d=10&h=1&p=0'
self.assertFalse(util.is_decoded_url_safe(url))
def pro_version():
"""
Enable or disable "Version PRO" which is only visible to "PRO users".
"""
if not pro.user_is_pro():
abort(401)
pro.toggle_pro_version()
redirect_url = urllib.parse.unquote(request.args.get('next', '/'))
if not redirect_url or not util.is_decoded_url_safe(redirect_url):
redirect_url = '/'
return redirect(redirect_url)