This is an automated email from the ASF dual-hosted git repository.
wave pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new e9ed2a37 ASVS L1 - Validate referrer in redirect in admin toggle-view
e9ed2a37 is described below
commit e9ed2a37d5d0ef1c574f478dd2a23c75a2651c70
Author: Dave Fisher <[email protected]>
AuthorDate: Fri Feb 13 14:56:08 2026 -0800
ASVS L1 - Validate referrer in redirect in admin toggle-view
---
atr/admin/__init__.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/atr/admin/__init__.py b/atr/admin/__init__.py
index 23bf9c52..ff075fe4 100644
--- a/atr/admin/__init__.py
+++ b/atr/admin/__init__.py
@@ -888,7 +888,9 @@ async def toggle_view_post(session: web.Committer) ->
web.WerkzeugResponse:
message = "Viewing as regular user" if downgrade else "Viewing as admin"
await quart.flash(message, "success")
referrer = quart.request.referrer
- return quart.redirect(referrer or util.as_url(data))
+ if referrer and web.valid_url(referrer, quart.request.host):
+ return quart.redirect(referrer)
+ return quart.redirect("https://"; + quart.request.host + "/")
@admin.get("/validate")
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
