Fix CWE-601 - Open URL redirection

- Only a few URLs are allowed now and this _will_ break some implementations - Print information in the log about which URL was kicked
2025-11-11 18:56:23 +00:00 · 2021-11-22 13:17:06 +01:00
parent 09a8c60ad0
commit ff9bfdefb5
2 changed files with 17 additions and 0 deletions
--- a/config.py
+++ b/config.py
@@ -209,6 +209,13 @@ CACHE_IMAGES_MAX_AGE = 5 * 60

 CACHE_RESPONSE = True

+# Trusted URLs for default redirection
+TRUSTED_DEFAULT_URLS = [
+    "https://ui-avatars.com/api/",
+    "https://gravatar.com/avatar/",
+    "https://avatars.dicebear.com/api/",
+]
+
 # This MUST BE THE LAST!
 if os.path.isfile(os.path.join(BASE_DIR, "config_local.py")):
    from config_local import *  # noqa # flake8: noqa # NOQA # pragma: no cover
--- a/ivatar/views.py
+++ b/ivatar/views.py
@@ -29,6 +29,7 @@ from robohash import Robohash
 from ivatar.settings import AVATAR_MAX_SIZE, JPEG_QUALITY, DEFAULT_AVATAR_SIZE
 from ivatar.settings import CACHE_RESPONSE
 from ivatar.settings import CACHE_IMAGES_MAX_AGE
+from ivatar.settings import TRUSTED_DEFAULT_URLS
 from .ivataraccount.models import ConfirmedEmail, ConfirmedOpenId
 from .ivataraccount.models import pil_format, file_format
 from .utils import mm_ng
@@ -138,6 +139,15 @@ class AvatarImageView(TemplateView):
        if "default" in request.GET:
            default = request.GET["default"]

+        # Check if default starts with an URL scheme and if it does,
+        # check if it's trusted
+        # Check for :// (schema)
+        if default is not None and default.find("://"):
+            # Check if it's trusted, if not, reset to None
+            if not any(x in default for x in TRUSTED_DEFAULT_URLS):
+                print("Default URL is not in trusted URLs. Kicking it!")
+                default = None
+
        if "f" in request.GET:
            if request.GET["f"] == "y":
                forcedefault = True