Fix CWE-601 - Open URL redirection

- Only a few URLs are allowed now and this _will_ break some implementations
- Print information in the log about which URL was kicked

config.py

@@ -209,6 +209,13 @@ CACHE_IMAGES_MAX_AGE = 5 * 60
 
 CACHE_RESPONSE = True
 
+# Trusted URLs for default redirection
+TRUSTED_DEFAULT_URLS = [
+    "https://ui-avatars.com/api/",
+    "https://gravatar.com/avatar/",
+    "https://avatars.dicebear.com/api/",
+]
+
 # This MUST BE THE LAST!
 if os.path.isfile(os.path.join(BASE_DIR, "config_local.py")):
     from config_local import *  # noqa # flake8: noqa # NOQA # pragma: no cover

ivatar/views.py

@@ -29,6 +29,7 @@ from robohash import Robohash
 from ivatar.settings import AVATAR_MAX_SIZE, JPEG_QUALITY, DEFAULT_AVATAR_SIZE
 from ivatar.settings import CACHE_RESPONSE
 from ivatar.settings import CACHE_IMAGES_MAX_AGE
+from ivatar.settings import TRUSTED_DEFAULT_URLS
 from .ivataraccount.models import ConfirmedEmail, ConfirmedOpenId
 from .ivataraccount.models import pil_format, file_format
 from .utils import mm_ng
@@ -138,6 +139,15 @@ class AvatarImageView(TemplateView):
         if "default" in request.GET:
             default = request.GET["default"]
 
+        # Check if default starts with an URL scheme and if it does,
+        # check if it's trusted
+        # Check for :// (schema)
+        if default is not None and default.find("://"):
+            # Check if it's trusted, if not, reset to None
+            if not any(x in default for x in TRUSTED_DEFAULT_URLS):
+                print("Default URL is not in trusted URLs. Kicking it!")
+                default = None
+
         if "f" in request.GET:
             if request.GET["f"] == "y":
                 forcedefault = True