def handle(self, request): next = request.GET.get(REDIRECT_FIELD_NAME, '') if not is_safe_url(next, host=request.get_host()): next = auth.get_login_url() logout(request) request.user = AnonymousUser() return self.redirect(next)
def auth(request, backend): """Authenticate using social backend""" data = request.POST if request.method == "POST" else request.GET # Save extra data into session. for field_name in setting("SOCIAL_AUTH_FIELDS_STORED_IN_SESSION", []): if field_name in data: request.session[field_name] = data[field_name] # Save any defined next value into session if REDIRECT_FIELD_NAME in data: # Check and sanitize a user-defined GET/POST next field value redirect = data[REDIRECT_FIELD_NAME] # NOTE: django-sudo's `is_safe_url` is much better at catching bad # redirections to different domains than social_auth's # `sanitize_redirect` call. if not is_safe_url(redirect, host=request.get_host()): redirect = DEFAULT_REDIRECT request.session[REDIRECT_FIELD_NAME] = redirect or DEFAULT_REDIRECT # Clean any partial pipeline info before starting the process clean_partial_pipeline(request) if backend.uses_redirect: return HttpResponseRedirect(backend.auth_url()) else: return HttpResponse(backend.auth_html(), content_type="text/html;charset=UTF-8")
def auth_process(request, backend): """Authenticate using social backend""" data = request.POST if request.method == 'POST' else request.GET # Save extra data into session. for field_name in setting('SOCIAL_AUTH_FIELDS_STORED_IN_SESSION', []): if field_name in data: request.session[field_name] = data[field_name] # Save any defined next value into session if REDIRECT_FIELD_NAME in data: # Check and sanitize a user-defined GET/POST next field value redirect = data[REDIRECT_FIELD_NAME] # NOTE: django-sudo's `is_safe_url` is much better at catching bad # redirections to different domains than social_auth's # `sanitize_redirect` call. if not is_safe_url(redirect, host=request.get_host()): redirect = DEFAULT_REDIRECT request.session[REDIRECT_FIELD_NAME] = redirect or DEFAULT_REDIRECT # Clean any partial pipeline info before starting the process clean_partial_pipeline(request) if backend.uses_redirect: return HttpResponseRedirect(backend.auth_url()) else: return HttpResponse(backend.auth_html(), content_type='text/html;charset=UTF-8')
def grant_sudo_privileges(self, request, redirect_to): grant_sudo_privileges(request) # Restore the redirect destination from the GET request redirect_to = request.session.pop(REDIRECT_TO_FIELD_NAME, redirect_to) # Double check we're not redirecting to other sites if not is_safe_url(url=redirect_to, host=request.get_host()): redirect_to = resolve_url(REDIRECT_URL) return HttpResponseRedirect(redirect_to)
def test_success(self): urls = ( ('/', None), ('/foo/', None), ('/', 'example.com'), ('http://example.com/foo', 'example.com'), ) for url in urls: self.assertTrue(is_safe_url(*url))
def test_failure(self): urls = ( (None, None), ('', ''), ('http://mattrobenolt.com/', 'example.com'), ('///example.com/', None), ('ftp://example.com', 'example.com'), ('http://example.com\@mattrobenolt.com', 'example.com'), ('http:///example.com', 'example.com'), ('\x08//example.com', 'example.com'), ) for url in urls: self.assertFalse(is_safe_url(*url))
def disconnect(request, backend, association_id=None): """Disconnects given backend from current logged in user.""" backend.disconnect(request.user, association_id) data = request.REQUEST if REDIRECT_FIELD_NAME in data: redirect = data[REDIRECT_FIELD_NAME] # NOTE: Django's `is_safe_url` is much better at catching bad # redirections to different domains than social_auth's # `sanitize_redirect` call. if not is_safe_url(redirect, host=request.get_host()): redirect = DEFAULT_REDIRECT else: redirect = backend_setting(backend, 'SOCIAL_AUTH_DISCONNECT_REDIRECT_URL') if not redirect: redirect = DEFAULT_REDIRECT return HttpResponseRedirect(redirect)
def handle(self, request, organization, project, group_id, slug): group = get_object_or_404(Group, pk=group_id, project=project) try: plugin = plugins.get(slug) except KeyError: raise Http404("Plugin not found") GroupMeta.objects.populate_cache([group]) response = plugin.get_view_response(request, group) if response: return response redirect = request.META.get("HTTP_REFERER", "") if not is_safe_url(redirect, host=request.get_host()): redirect = u"/{}/{}/".format(organization.slug, group.project.slug) return HttpResponseRedirect(redirect)
def handle(self, request, organization, team, project, group_id, slug): group = get_object_or_404(Group, pk=group_id, project=project) try: plugin = plugins.get(slug) except KeyError: raise Http404('Plugin not found') GroupMeta.objects.populate_cache([group]) response = plugin.get_view_response(request, group) if response: return response redirect = request.META.get('HTTP_REFERER', '') if not is_safe_url(redirect, host=request.get_host()): redirect = '/{}/{}/'.format( organization.slug, group.project.slug, ) return HttpResponseRedirect(redirect)
def dispatch(self, request): redirect_to = request.GET.get(REDIRECT_FIELD_NAME, REDIRECT_URL) # Make sure we're not redirecting to other sites if not is_safe_url(url=redirect_to, host=request.get_host()): redirect_to = resolve_url(REDIRECT_URL) if request.is_sudo(): return HttpResponseRedirect(redirect_to) if request.method == 'GET': request.session[REDIRECT_TO_FIELD_NAME] = redirect_to context = { 'form': self.form_class(request.user, request.POST or None), 'request': request, REDIRECT_FIELD_NAME: redirect_to, } if self.handle_sudo(request, redirect_to, context): return self.grant_sudo_privileges(request, redirect_to) if self.extra_context is not None: context.update(self.extra_context) return TemplateResponse(request, self.template_name, context)
def is_valid_redirect(url, host=None): if not url: return False if url.startswith(get_login_url()): return False return is_safe_url(url, host=host)
def redirect(self, request): next = request.GET.get(REDIRECT_FIELD_NAME, '') if not is_safe_url(next, host=request.get_host()): next = auth.get_login_url() return super(AuthLogoutView, self).redirect(next)