1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/commits/1d06e19aa3aa/ Changeset: 1d06e19aa3aa Branch: stable User: dannon Date: 2014-04-22 16:01:58 Summary: Merged in dan/galaxy-central-stable-prs/stable (pull request #374) Prevent redirect misuse on user log in. Affected #: 2 files diff -r 7fe7330660189bb382191a18ee145a7698ddbb74 -r 1d06e19aa3aac0c87b21f8482b8fc73c89e277ad lib/galaxy/util/__init__.py --- a/lib/galaxy/util/__init__.py +++ b/lib/galaxy/util/__init__.py @@ -29,6 +29,8 @@ from hashlib import md5 from itertools import izip +from urlparse import urlparse + from galaxy import eggs eggs.require( 'docutils' ) @@ -691,6 +693,17 @@ def string_to_object( s ): return pickle.loads( binascii.unhexlify( s ) ) +def compare_urls( url1, url2, compare_scheme=True, compare_hostname=True, compare_path=True ): + url1 = urlparse( url1 ) + url2 = urlparse( url2 ) + if compare_scheme and url1.scheme and url2.scheme and url1.scheme != url2.scheme: + return False + if compare_hostname and url1.hostname and url2.hostname and url1.hostname != url2.hostname: + return False + if compare_path and url1.path and url2.path and url1.path != url2.path: + return False + return True + def get_ucsc_by_build(build): sites = [] for site in ucsc_build_sites: diff -r 7fe7330660189bb382191a18ee145a7698ddbb74 -r 1d06e19aa3aac0c87b21f8482b8fc73c89e277ad lib/galaxy/webapps/galaxy/controllers/user.py --- a/lib/galaxy/webapps/galaxy/controllers/user.py +++ b/lib/galaxy/webapps/galaxy/controllers/user.py @@ -445,26 +445,35 @@ return self.user_openid_grid( trans, **kwd ) @web.expose - def login( self, trans, redirect_url='', refresh_frames=[], **kwd ): + def login( self, trans, refresh_frames=[], **kwd ): '''Handle Galaxy Log in''' redirect = kwd.get( 'redirect', trans.request.referer ).strip() + root_url = url_for( '/', qualified=True ) + redirect_url = '' #always start with redirect_url being empty + # compare urls, to prevent a redirect from pointing (directly) outside of galaxy + # or to enter a logout/login loop + if not util.compare_urls( root_url, redirect, compare_path=False ) or util.compare_urls( url_for( controller='user', action='logout', qualified=True ), redirect ): + redirect = root_url use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) message = kwd.get( 'message', '' ) status = kwd.get( 'status', 'done' ) header = '' - user = None + user = trans.user email = kwd.get( 'email', '' ) - if kwd.get( 'login_button', False ): + if user: + #already logged in + redirect_url = redirect + message = 'You are already logged in.' + status = 'info' + elif kwd.get( 'login_button', False ): if trans.webapp.name == 'galaxy' and not refresh_frames: if trans.app.config.require_login: refresh_frames = [ 'masthead', 'history', 'tools' ] else: refresh_frames = [ 'masthead', 'history' ] message, status, user, success = self.__validate_login( trans, **kwd ) - if success and redirect and not redirect.startswith( trans.request.base + url_for( controller='user', action='logout' ) ): + if success: redirect_url = redirect - elif success: - redirect_url = url_for( '/' ) if not user and trans.app.config.require_login: if trans.app.config.allow_user_creation: create_account_str = " If you don't already have an account, <a href='%s'>you may create one</a>." % \ Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.