From 9911b5c7dd2b8a8962a61e2cf9e98fa8fb1725c9 Mon Sep 17 00:00:00 2001 From: Eric Callahan Date: Fri, 28 Jan 2022 14:05:48 -0500 Subject: [PATCH] app: don't allow open redirects in '/server/redirect' Validate that the URL argument against the `cors_domains` option. Signed-off-by: Eric Callahan --- moonraker/app.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/moonraker/app.py b/moonraker/app.py index a58fa06..eb1819a 100644 --- a/moonraker/app.py +++ b/moonraker/app.py @@ -919,4 +919,9 @@ class RedirectHandler(AuthorizedRequestHandler): 400, "No url argument provided") url = body_args['url'] assert url is not None + # validate the url origin + auth: AuthComp = self.server.lookup_component('authorization', None) + if auth is None or not auth.check_cors(url.rstrip("/")): + raise tornado.web.HTTPError( + 400, f"Unauthorized URL redirect: {url}") self.redirect(url)