Fix CWE-601 - Open URL redirection

- Only a few URLs are allowed now and this _will_ break some implementations - Print information in the log about which URL was kicked
2025-11-16 21:18:02 +00:00 · 2021-11-22 13:17:06 +01:00
parent 09a8c60ad0
commit ff9bfdefb5
2 changed files with 17 additions and 0 deletions
--- a/ivatar/views.py
+++ b/ivatar/views.py
@@ -29,6 +29,7 @@ from robohash import Robohash
 from ivatar.settings import AVATAR_MAX_SIZE, JPEG_QUALITY, DEFAULT_AVATAR_SIZE
 from ivatar.settings import CACHE_RESPONSE
 from ivatar.settings import CACHE_IMAGES_MAX_AGE
+from ivatar.settings import TRUSTED_DEFAULT_URLS
 from .ivataraccount.models import ConfirmedEmail, ConfirmedOpenId
 from .ivataraccount.models import pil_format, file_format
 from .utils import mm_ng
@@ -138,6 +139,15 @@ class AvatarImageView(TemplateView):
        if "default" in request.GET:
            default = request.GET["default"]

+        # Check if default starts with an URL scheme and if it does,
+        # check if it's trusted
+        # Check for :// (schema)
+        if default is not None and default.find("://"):
+            # Check if it's trusted, if not, reset to None
+            if not any(x in default for x in TRUSTED_DEFAULT_URLS):
+                print("Default URL is not in trusted URLs. Kicking it!")
+                default = None
+
        if "f" in request.GET:
            if request.GET["f"] == "y":
                forcedefault = True