allow a list of permitted external domains to be defined in settings and allow…

allow a list of permitted external domains to be defined in settings and allow redirects to those external domains as well as local URLs (as before)

allow a list of permitted external domains to be defined in settings and allow…
allow a list of permitted external domains to be defined in settings and allow redirects to those external domains as well as local URLs (as before)
389bec33 · stuart.langridge@canonical.com · Tarmac · fa3de228 · 8ea62b16 · 389bec33
Commit 389bec33 authored Jan 14, 2010 by stuart.langridge@canonical.com Committed by Tarmac Jan 14, 2010
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 1 deletions

README.txt
+9 -0

django_openid_auth/views.py
+16 -1

No files found.
--- a/README.txt
+++ b/README.txt
@@ -106,3 +106,12 @@ If you use OPENID_LAUNCHPAD_TEAMS_MAPPING_AUTO, the variable OPENID_LAUNCHPAD_TE
 If you want to exclude some groups from the auto mapping, use OPENID_LAUNCHPAD_TEAMS_MAPPING_AUTO_BLACKLIST. This variable has only an effect if OPENID_LAUNCHPAD_TEAMS_MAPPING_AUTO is True.

 	OPENID_LAUNCHPAD_TEAMS_MAPPING_AUTO_BLACKLIST = ['django-group1', 'django-group2']
+	
+== External redirect domains ==
+
+By default, redirecting back to an external URL after auth is forbidden. To permit redirection to external URLs on a separate domain, define ALLOWED_EXTERNAL_OPENID_REDIRECT_DOMAINS in your settings.py file as a list of permitted domains:
+
+	ALLOWED_EXTERNAL_OPENID_REDIRECT_DOMAINS = ['example.com', 'example.org']
+
+and redirects to external URLs on those domains will additionally be permitted.
+
--- a/django_openid_auth/views.py
+++ b/django_openid_auth/views.py
@@ -29,6 +29,7 @@

 import re
 import urllib
+from urlparse import urlsplit

 from django.conf import settings
 from django.contrib.auth import (
@@ -64,7 +65,21 @@ def sanitise_redirect_url(redirect_to):
    """Sanitise the redirection URL."""
    # Light security check -- make sure redirect_to isn't garbage.
    if not redirect_to or '//' in redirect_to or ' ' in redirect_to:
-        redirect_to = settings.LOGIN_REDIRECT_URL
+        # Allow the redirect URL to be external if it's a permitted domain
+        allowed_domains = getattr(settings, 
+            "ALLOWED_EXTERNAL_OPENID_REDIRECT_DOMAINS", [])
+        s, netloc, p, q, f = urlsplit(redirect_to)
+        # allow it if netloc is blank or if the domain is allowed
+        if netloc:
+            # a domain was specified. Is it an allowed domain?
+            if netloc.find(":") != -1:
+                netloc, _ = netloc.split(":", 1)
+            if netloc not in allowed_domains:
+                redirect_to = settings.LOGIN_REDIRECT_URL
+        else:
+            # netloc is blank, so it's a local URL (possibly with another URL
+            # passed in the querystring. Allow it.)
+            pass
    return redirect_to