Merge pull request #519 from TreyWW/alert-autofix-20

TreyWW · web-flow · commit 2c8808c7f3d9 · 2024-10-19T21:08:43.000+01:00
Fix code scanning alert no. 20: URL redirection from remote source
diff --git a/backend/core/views/auth/login.py b/backend/core/views/auth/login.py
@@ -10,6 +10,7 @@
 from django.shortcuts import render, redirect
 from django.urls import resolve, reverse
 from django.urls.exceptions import Resolver404
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.utils.decorators import method_decorator
 from django.views import View
 from django.views.decorators.http import require_GET, require_POST
@@ -76,10 +77,13 @@ def login_manual(request: HttpRequest):
         messages.warning(request, "You have been requested by an administrator to change your account password.")
         return redirect("settings:change_password")
 
-    try:
-        resolve(redirect_url)
-        return redirect(redirect_url)
-    except Resolver404:
+    if url_has_allowed_host_and_scheme(redirect_url, allowed_hosts=None):
+        try:
+            resolve(redirect_url)
+            return redirect(redirect_url)
+        except Resolver404:
+            return redirect("dashboard")
+    else:
         return redirect("dashboard")
 
 
