From 5ec186e03996e0a78de0d20e575adcf1c41b98ce Mon Sep 17 00:00:00 2001 From: Oliver Falk Date: Mon, 22 Nov 2021 13:17:06 +0100 Subject: [PATCH] Fix CWE-601 - Open URL redirection - Only a few URLs are allowed now and this _will_ break some implementations - Print information in the log about which URL was kicked --- config.py | 7 +++++++ ivatar/views.py | 10 ++++++++++ 2 files changed, 17 insertions(+) diff --git a/config.py b/config.py index 0cf93ba..1e2ef07 100644 --- a/config.py +++ b/config.py @@ -209,6 +209,13 @@ CACHE_IMAGES_MAX_AGE = 5 * 60 CACHE_RESPONSE = True +# Trusted URLs for default redirection +TRUSTED_DEFAULT_URLS = [ + "https://ui-avatars.com/api/", + "https://gravatar.com/avatar/", + "https://avatars.dicebear.com/api/", +] + # This MUST BE THE LAST! if os.path.isfile(os.path.join(BASE_DIR, "config_local.py")): from config_local import * # noqa # flake8: noqa # NOQA # pragma: no cover diff --git a/ivatar/views.py b/ivatar/views.py index f74b224..d892539 100644 --- a/ivatar/views.py +++ b/ivatar/views.py @@ -29,6 +29,7 @@ from robohash import Robohash from ivatar.settings import AVATAR_MAX_SIZE, JPEG_QUALITY, DEFAULT_AVATAR_SIZE from ivatar.settings import CACHE_RESPONSE from ivatar.settings import CACHE_IMAGES_MAX_AGE +from ivatar.settings import TRUSTED_DEFAULT_URLS from .ivataraccount.models import ConfirmedEmail, ConfirmedOpenId from .ivataraccount.models import pil_format, file_format from .utils import mm_ng @@ -138,6 +139,15 @@ class AvatarImageView(TemplateView): if "default" in request.GET: default = request.GET["default"] + # Check if default starts with an URL scheme and if it does, + # check if it's trusted + # Check for :// (schema) + if default is not None and default.find("://"): + # Check if it's trusted, if not, reset to None + if not any(x in default for x in TRUSTED_DEFAULT_URLS): + print("Default URL is not in trusted URLs. Kicking it!") + default = None + if "f" in request.GET: if request.GET["f"] == "y": forcedefault = True