From 661865de87422dcaddac570d7668c0d7cf36ca29 Mon Sep 17 00:00:00 2001 From: Mouse Reeve Date: Thu, 14 Jul 2022 11:13:11 -0700 Subject: [PATCH] Remmoves insecure redirects This should really fundamentally work differently, but this is a quick for for now to avoid an insecure redirect. There will be a negative impact on user experience from this, and a followup change should look into these views and improve their flow. --- bookwyrm/views/goal.py | 4 ++-- bookwyrm/views/interaction.py | 10 +++++----- bookwyrm/views/reading.py | 10 ++++------ bookwyrm/views/shelf/shelf_actions.py | 8 ++++---- bookwyrm/views/status.py | 6 +++--- bookwyrm/views/user.py | 2 +- 6 files changed, 19 insertions(+), 21 deletions(-) diff --git a/bookwyrm/views/goal.py b/bookwyrm/views/goal.py index b28c04766..57ff4bd75 100644 --- a/bookwyrm/views/goal.py +++ b/bookwyrm/views/goal.py @@ -70,7 +70,7 @@ class Goal(View): privacy=goal.privacy, ) - return redirect(request.headers.get("Referer", "/")) + return redirect("user-goal", request.user.localname, year) @require_POST @@ -79,4 +79,4 @@ def hide_goal(request): """don't keep bugging people to set a goal""" request.user.show_goal = False request.user.save(broadcast=False, update_fields=["show_goal"]) - return redirect(request.headers.get("Referer", "/")) + return redirect("/") diff --git a/bookwyrm/views/interaction.py b/bookwyrm/views/interaction.py index f59271bd1..35441a2cf 100644 --- a/bookwyrm/views/interaction.py +++ b/bookwyrm/views/interaction.py @@ -28,7 +28,7 @@ class Favorite(View): if is_api_request(request): return HttpResponse() - return redirect(request.headers.get("Referer", "/")) + return redirect("/") @method_decorator(login_required, name="dispatch") @@ -48,7 +48,7 @@ class Unfavorite(View): favorite.delete() if is_api_request(request): return HttpResponse() - return redirect(request.headers.get("Referer", "/")) + return redirect("/") @method_decorator(login_required, name="dispatch") @@ -67,7 +67,7 @@ class Boost(View): boosted_status=status, user=request.user ).exists(): # you already boosted that. - return redirect(request.headers.get("Referer", "/")) + return redirect("/") models.Boost.objects.create( boosted_status=status, @@ -76,7 +76,7 @@ class Boost(View): ) if is_api_request(request): return HttpResponse() - return redirect(request.headers.get("Referer", "/")) + return redirect("/") @method_decorator(login_required, name="dispatch") @@ -94,4 +94,4 @@ class Unboost(View): boost.delete() if is_api_request(request): return HttpResponse() - return redirect(request.headers.get("Referer", "/")) + return redirect("/") diff --git a/bookwyrm/views/reading.py b/bookwyrm/views/reading.py index eb43e4ea4..482da3cd0 100644 --- a/bookwyrm/views/reading.py +++ b/bookwyrm/views/reading.py @@ -79,13 +79,11 @@ class ReadingStatus(View): current_status_shelfbook = shelves[0] if shelves else None # checking the referer prevents redirecting back to the modal page - referer = request.headers.get("Referer", "/") - referer = "/" if "reading-status" in referer else referer if current_status_shelfbook is not None: if current_status_shelfbook.shelf.identifier != desired_shelf.identifier: current_status_shelfbook.delete() else: # It already was on the shelf - return redirect(referer) + return redirect("/") models.ShelfBook.objects.create( book=book, shelf=desired_shelf, user=request.user @@ -123,7 +121,7 @@ class ReadingStatus(View): if is_api_request(request): return HttpResponse() - return redirect(referer) + return redirect("/") @method_decorator(login_required, name="dispatch") @@ -205,7 +203,7 @@ def delete_readthrough(request): readthrough.raise_not_deletable(request.user) readthrough.delete() - return redirect(request.headers.get("Referer", "/")) + return redirect("/") @login_required @@ -216,4 +214,4 @@ def delete_progressupdate(request): update.raise_not_deletable(request.user) update.delete() - return redirect(request.headers.get("Referer", "/")) + return redirect("/") diff --git a/bookwyrm/views/shelf/shelf_actions.py b/bookwyrm/views/shelf/shelf_actions.py index 5e7e6c0c9..67442f3b5 100644 --- a/bookwyrm/views/shelf/shelf_actions.py +++ b/bookwyrm/views/shelf/shelf_actions.py @@ -13,7 +13,7 @@ def create_shelf(request): """user generated shelves""" form = forms.ShelfForm(request.POST) if not form.is_valid(): - return redirect(request.headers.get("Referer", "/")) + return redirect("user-shelves", request.user.localname) shelf = form.save() return redirect(shelf.local_path) @@ -70,7 +70,7 @@ def shelve(request): ): current_read_status_shelfbook.delete() else: # It is already on the shelf - return redirect(request.headers.get("Referer", "/")) + return redirect("/") # create the new shelf-book entry models.ShelfBook.objects.create( @@ -86,7 +86,7 @@ def shelve(request): # Might be good to alert, or reject the action? except IntegrityError: pass - return redirect(request.headers.get("Referer", "/")) + return redirect("/") @login_required @@ -100,4 +100,4 @@ def unshelve(request, book_id=False): ) shelf_book.raise_not_deletable(request.user) shelf_book.delete() - return redirect(request.headers.get("Referer", "/")) + return redirect("/") diff --git a/bookwyrm/views/status.py b/bookwyrm/views/status.py index 0dd9e0f80..8c14b3cdd 100644 --- a/bookwyrm/views/status.py +++ b/bookwyrm/views/status.py @@ -82,7 +82,7 @@ class CreateStatus(View): if is_api_request(request): logger.exception(form.errors) return HttpResponseBadRequest() - return redirect(request.headers.get("Referer", "/")) + return redirect("/") status = form.save(commit=False) # save the plain, unformatted version of the status for future editing @@ -146,7 +146,7 @@ class DeleteStatus(View): # perform deletion status.delete() - return redirect(request.headers.get("Referer", "/")) + return redirect("/") @login_required @@ -195,7 +195,7 @@ def edit_readthrough(request): if is_api_request(request): return HttpResponse() - return redirect(request.headers.get("Referer", "/")) + return redirect("/") def find_mentions(content): diff --git a/bookwyrm/views/user.py b/bookwyrm/views/user.py index 2aed317f7..a46c74642 100644 --- a/bookwyrm/views/user.py +++ b/bookwyrm/views/user.py @@ -164,7 +164,7 @@ def hide_suggestions(request): """not everyone wants user suggestions""" request.user.show_suggested_users = False request.user.save(broadcast=False, update_fields=["show_suggested_users"]) - return redirect(request.headers.get("Referer", "/")) + return redirect("/") # pylint: disable=unused-argument