ଜମା କରନ୍ତୁ #400792: LinuxOSsk Shakal-NG 1.3.3 Open Redirectସୂଚନା

ଶୀର୍ଷକ	LinuxOSsk Shakal-NG 1.3.3 Open Redirect
ବର୍ଣ୍ଣନା	The code uses the user-controlled next variable to redirect. If next is not verified, an attacker could induce users to redirect to a malicious website. First: ``` Snippets of code comments/urls.pypy (line 10) : path('odpovedat/<int:parent>/', views.Reply.as_view(), name='reply'), Snippet of code comments/views.py (lines 97 through 97) : next_url = self.request.POST.get('next', '') Snippet of code comments/views.py (lines 100 to 100) : return http.HttpResponseRedirect(next_url + '#link_' + str(comment.pk)) ``` Second: ``` Snippets of code comments/urls.pypy (line 12) : path('sledovat/<int:pk>/', views.Watch.as_view(), name='watch'), Snippets of code comments/views.py (lines 140 through 140) : def post(self, request, kwargs): Snippets of code comments/views.py (lines 152 through 152) : return HttpResponseRedirect(request.POST['next']) ``` Third: ``` Snippets of code comments/urls.pypy (line 13) : path('zabudnut/<int:pk>/', views.Forget.as_view(), name='forget'), Snippet of code comments/views.py (lines 161 through 161) : def get(self, request, kwargs): Snippet of code comments/views.py (lines 165 through 165) : return HttpResponseRedirect(request.GET['next']) ``` Safety advice: Verify the next parameter: Make sure that the next parameter points to a predefined, secure list of urls, or use a whitelist to limit acceptable values. Use security functions: If the Django framework is being used, consider using Django's is_safe_url or a similar method to verify the security of the URL. Encoded output: Ensure that the redirected target URL is properly encoded to prevent injection attacks. Logging: Logging relevant information prior to redirection helps in tracing and debugging in the event of a security incident. Error handling: If the next_url is invalid or points to an insecure address, there should be an explicit error handling mechanism rather than a simple redirect.
ଉତ୍ସ	⚠️ https://github.com/LinuxOSsk/Shakal-NG/issues/202
ଉପଭୋକ୍ତା	zihe (UID 56943)
ଦାଖଲ	08/31/2024 02:59 PM (1 ବର୍ଷ ago)
ମଧ୍ୟମ ଧରଣର	09/04/2024 10:43 AM (4 days later)
ସ୍ଥିତି	ଗ୍ରହଣ କରାଯାଇଛି
VulDB ଏଣ୍ଟ୍ରି	276492 [LinuxOSsk Shakal-NG ଯେପର୍ଯ୍ୟନ୍ତ 1.3.3 comments/views.py ଆହୁରି ଦୂରରେ Redirect]
ପଏଣ୍ଟ	20

◂ ପଛକୁ ସମୀକ୍ଷା ଆହୁରି ଦୂରରେ ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!