Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.5:Update
pgadmin4.28121
0001-Fixes-a-redirect-vulnerability-when-the-us...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-Fixes-a-redirect-vulnerability-when-the-user-opens-the-pgAdmin-URL.patch of Package pgadmin4.28121
From e2b00dda1b15a1793f365544fce2c46e47b7a47e Mon Sep 17 00:00:00 2001 From: Aditya Toshniwal <aditya.toshniwal@enterprisedb.com> Date: Mon, 19 Sep 2022 15:36:10 +0530 Subject: [PATCH] Fixes a redirect vulnerability when the user opens the pgAdmin URL. Fixes #5343 | `Issue #5343 <https://github.com/postgres/pgadmin4/issues/5343>`_ - Fixes a redirect vulnerability when the user opens the pgAdmin URL. Rebased by Antonio Larrosa <alarrosa@suse.com> Index: pgadmin4-4.30/web/pgadmin/authenticate/__init__.py =================================================================== --- pgadmin4-4.30.orig/web/pgadmin/authenticate/__init__.py +++ pgadmin4-4.30/web/pgadmin/authenticate/__init__.py @@ -17,12 +17,12 @@ from flask_babelex import gettext from flask_security import current_user from flask_security.views import _security, _ctx from flask_security.utils import config_value, get_post_logout_redirect, \ - get_post_login_redirect, logout_user + logout_user from flask import session import config -from pgadmin.utils import PgAdminModule +from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect from pgadmin.utils.constants import KERBEROS from pgadmin.utils.csrf import pgCSRFProtect @@ -94,7 +94,7 @@ def login(): return flask.redirect(get_post_logout_redirect()) session['_auth_source_manager_obj'] = current_auth_obj - return flask.redirect(get_post_login_redirect()) + return flask.redirect(get_safe_post_login_redirect()) elif isinstance(msg, Response): return msg Index: pgadmin4-4.30/web/pgadmin/utils/__init__.py =================================================================== --- pgadmin4-4.30.orig/web/pgadmin/utils/__init__.py +++ pgadmin4-4.30/web/pgadmin/utils/__init__.py @@ -12,9 +12,10 @@ import sys from collections import defaultdict from operator import attrgetter -from flask import Blueprint, current_app +from flask import Blueprint, current_app, url_for from flask_babelex import gettext from flask_security import current_user, login_required +from flask_security.utils import get_post_login_redirect from threading import Lock from .paths import get_storage_directory @@ -354,3 +355,13 @@ class KeyManager: if user is not None: del self.users[current_user.id] + +def get_safe_post_login_redirect(): + allow_list = [ + url_for('browser.index') + ] + url = get_post_login_redirect() + if url in allow_list: + return url + + return "/"
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor