Overview

File 0001-Fixes-a-redirect-vulnerability-when-the-user-opens-the-pgAdmin-URL.patch of Package pgadmin4.35897

From e2b00dda1b15a1793f365544fce2c46e47b7a47e Mon Sep 17 00:00:00 2001
From: Aditya Toshniwal <aditya.toshniwal@enterprisedb.com>
Date: Mon, 19 Sep 2022 15:36:10 +0530
Subject: [PATCH] Fixes a redirect vulnerability when the user opens the
 pgAdmin URL. Fixes #5343

| `Issue #5343 <https://github.com/postgres/pgadmin4/issues/5343>`_ -  Fixes a redirect vulnerability when the user opens the pgAdmin URL.

Rebased by Antonio Larrosa <alarrosa@suse.com>


Index: pgadmin4-4.30/web/pgadmin/authenticate/__init__.py
===================================================================
--- pgadmin4-4.30.orig/web/pgadmin/authenticate/__init__.py
+++ pgadmin4-4.30/web/pgadmin/authenticate/__init__.py
@@ -17,12 +17,12 @@ from flask_babelex import gettext
 from flask_security import current_user
 from flask_security.views import _security, _ctx
 from flask_security.utils import config_value, get_post_logout_redirect, \
-    get_post_login_redirect, logout_user
+    logout_user
 
 from flask import session
 
 import config
-from pgadmin.utils import PgAdminModule
+from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect
 from pgadmin.utils.constants import KERBEROS
 from pgadmin.utils.csrf import pgCSRFProtect
 
@@ -94,7 +94,7 @@ def login():
             return flask.redirect(get_post_logout_redirect())
 
         session['_auth_source_manager_obj'] = current_auth_obj
-        return flask.redirect(get_post_login_redirect())
+        return flask.redirect(get_safe_post_login_redirect())
 
     elif isinstance(msg, Response):
         return msg
Index: pgadmin4-4.30/web/pgadmin/utils/__init__.py
===================================================================
--- pgadmin4-4.30.orig/web/pgadmin/utils/__init__.py
+++ pgadmin4-4.30/web/pgadmin/utils/__init__.py
@@ -12,9 +12,10 @@ import sys
 from collections import defaultdict
 from operator import attrgetter
 
-from flask import Blueprint, current_app
+from flask import Blueprint, current_app, url_for
 from flask_babelex import gettext
 from flask_security import current_user, login_required
+from flask_security.utils import get_post_login_redirect
 from threading import Lock
 
 from .paths import get_storage_directory
@@ -354,3 +355,13 @@ class KeyManager:
 
             if user is not None:
                 del self.users[current_user.id]
+
+def get_safe_post_login_redirect():
+    allow_list = [
+        url_for('browser.index')
+    ]
+    url = get_post_login_redirect()
+    if url in allow_list:
+        return url
+
+    return "/"
openSUSE Build Service is sponsored by
Places