On edx.org instances, next URL for login page cannot contain 'edx.org'.

f087672d · Saleem Latif · 100b5aa5 · f087672d · f087672d
Commit f087672d authored Aug 24, 2017 by Saleem Latif
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 5 deletions

common/djangoapps/student/helpers.py
+3 -2

common/djangoapps/student/tests/test_helpers.py
+11 -3

No files found.
--- a/common/djangoapps/student/helpers.py
+++ b/common/djangoapps/student/helpers.py
@@ -297,7 +297,7 @@ def get_redirect_to(request):
    # get information about a user on edx.org. In any such case drop the parameter.
    if redirect_to:
        mime_type, _ = mimetypes.guess_type(redirect_to, strict=False)
-        if not http.is_safe_url(redirect_to):
+        if not http.is_safe_url(redirect_to, host=request.get_host()):
            log.warning(
                u'Unsafe redirect parameter detected after login page: %(redirect_to)r',
                {"redirect_to": redirect_to}
@@ -327,8 +327,9 @@ def get_redirect_to(request):
            redirect_to = None
        else:
            themes = get_themes()
+            next_path = urlparse.urlparse(redirect_to).path
            for theme in themes:
-                if theme.theme_dir_name in redirect_to:
+                if theme.theme_dir_name in next_path:
                    log.warning(
                        u'Redirect to theme content detected after login page: %(redirect_to)r',
                        {"redirect_to": redirect_to}

--- a/common/djangoapps/student/tests/test_helpers.py
+++ b/common/djangoapps/student/tests/test_helpers.py
@@ -37,6 +37,8 @@ class TestLoginHelper(TestCase):
    @ddt.data(
        ("https://www.amazon.com", "text/html", None,
         "Unsafe redirect parameter detected after login page: u'https://www.amazon.com'"),
+        ("testserver/edx.org/images/logo", "text/html", None,
+         "Redirect to theme content detected after login page: u'testserver/edx.org/images/logo'"),
        ("favicon.ico", "image/*", "test/agent",
         "Redirect to non html content 'image/*' detected from 'test/agent' after login page: u'favicon.ico'"),
        ("https://www.test.com/test.jpg", "image/*", None,
@@ -61,12 +63,18 @@ class TestLoginHelper(TestCase):
                (LOGGER_NAME, "WARNING", expected_log)
            )

-    def test_safe_next(self):
+    @ddt.data(
+        ('/dashboard', 'testserver', '/dashboard'),
+        ('http://testserver/courses', 'testserver', 'http://testserver/courses'),
+        ('https://edx.org/courses', 'edx.org', 'https://edx.org/courses'),
+    )
+    @ddt.unpack
+    def test_safe_next(self, url, host, expected_url):
        """ Test safe next parameter """
-        req = self.request.get(reverse("login") + "?next={url}".format(url="/dashboard"))
+        req = self.request.get(reverse("login") + "?next={url}".format(url=url), HTTP_HOST=host)
        req.META["HTTP_ACCEPT"] = "text/html"  # pylint: disable=no-member
        next_page = get_next_url_for_login_page(req)
-        self.assertEqual(next_page, u'/dashboard')
+        self.assertEqual(next_page, expected_url)

    @patch('student.helpers.third_party_auth.pipeline.get')
    @ddt.data(