Revision 217994f8 snf-astakos-app/astakos/im/target/redirect.py
b/snf-astakos-app/astakos/im/target/redirect.py | ||
---|---|---|
37 | 37 |
from django.contrib import messages |
38 | 38 |
from django.utils.http import urlencode |
39 | 39 |
from django.contrib.auth import authenticate |
40 |
from django.http import HttpResponse, HttpResponseBadRequest |
|
40 |
from django.http import ( |
|
41 |
HttpResponse, HttpResponseBadRequest, HttpResponseForbidden |
|
42 |
) |
|
41 | 43 |
from django.core.exceptions import ValidationError |
42 | 44 |
from django.views.decorators.http import require_http_methods |
43 | 45 |
|
... | ... | |
45 | 47 |
from urlparse import urlunsplit, urlsplit, urlparse, parse_qsl |
46 | 48 |
|
47 | 49 |
from astakos.im.settings import COOKIE_NAME, COOKIE_DOMAIN |
48 |
from astakos.im.util import set_cookie |
|
50 |
from astakos.im.util import set_cookie, restrict_next
|
|
49 | 51 |
from astakos.im.functions import login as auth_login, logout |
50 | 52 |
|
51 | 53 |
import logging |
... | ... | |
65 | 67 |
next = request.GET.get('next') |
66 | 68 |
if not next: |
67 | 69 |
return HttpResponseBadRequest(_('No next parameter')) |
70 |
if not restrict_next( |
|
71 |
next, domain=COOKIE_DOMAIN, allowed_schemes=('pithos',) |
|
72 |
): |
|
73 |
return HttpResponseForbidden(_('Not allowed next parameter')) |
|
68 | 74 |
force = request.GET.get('force', None) |
69 | 75 |
response = HttpResponse() |
70 | 76 |
if force == '': |
Also available in: Unified diff