Merged sanitize redirect url checker. Closes gh-38

diff --git a/social_auth/utils.py b/social_auth/utils.py
index 1c8744d800bccfbfea11576b0d1fd1378eab367b..146d450a192c130cbc2fa619084a0001cd7a58a8 100644 (file)
--- a/social_auth/utils.py
+++ b/social_auth/utils.py
@@ -1,5 +1,6 @@
 import urlparse
 
+
 def sanitize_redirect(host, redirect_to):
     """
     Given the hostname and an untrusted URL to redirect to,
@@ -7,12 +8,36 @@ def sanitize_redirect(host, redirect_to):
     and returns it, else returns None.
 
     See http://code.djangoproject.com/browser/django/trunk/django/contrib/auth/views.py#L36
+
+    >>> print sanitize_redirect('myapp.com', None)
+    None
+    >>> print sanitize_redirect('myapp.com', '')
+    None
+    >>> print sanitize_redirect('myapp.com', {})
+    None
+    >>> print sanitize_redirect('myapp.com', 'http://notmyapp.com/path/')
+    None
+    >>> print sanitize_redirect('myapp.com', 'http://myapp.com/path/')
+    http://myapp.com/path/
+    >>> print sanitize_redirect('myapp.com', '/path/')
+    /path/
     """
     # Quick sanity check.
     if not redirect_to:
         return None
-    netloc = urlparse.urlparse(redirect_to)[1]
-    # Heavier security check -- don't allow redirection to a different host.
+
+    # Heavier security check, don't allow redirection to a different host.
+    try:
+        netloc = urlparse.urlparse(redirect_to)[1]
+    except TypeError:  # not valid redirect_to value
+        return None
+
     if netloc and netloc != host:
         return None
+
     return redirect_to
+
+
+if __name__ == '__main__':
+    import doctest
+    doctest.testmod()

diff --git a/social_auth/views.py b/social_auth/views.py
index cfe29c368dd22a42678594164e7e5738bd189f82..1268e271f50e0ab1f6eef90621a62addbeaac262 100644 (file)
--- a/social_auth/views.py
+++ b/social_auth/views.py
@@ -1,6 +1,7 @@
 """Views"""
 from django.conf import settings
-from django.http import HttpResponseRedirect, HttpResponse, HttpResponseServerError
+from django.http import HttpResponseRedirect, HttpResponse, \
+                        HttpResponseServerError
 from django.core.urlresolvers import reverse
 from django.db import transaction
 from django.contrib.auth import login, REDIRECT_FIELD_NAME
@@ -35,16 +36,17 @@ def complete_process(request, backend):
 
     try:
         user = backend.auth_complete()
-    except ValueError, e: # some Authentication error ocurred
+    except ValueError, e:  # some Authentication error ocurred
         user = None
         error_key = getattr(settings, 'SOCIAL_AUTH_ERROR_KEY', None)
-        if error_key: # store error in session
+        if error_key:  # store error in session
             request.session[error_key] = str(e)
 
     if user and getattr(user, 'is_active', True):
         login(request, user)
         if getattr(settings, 'SOCIAL_AUTH_SESSION_EXPIRATION', True):
-            # Set session expiration date if present and not disabled by setting
+            # Set session expiration date if present and not disabled by
+            # setting
             backend_name = backend.AUTH_BACKEND.name
             social_user = user.social_auth.get(provider=backend_name)
             if social_user.expiration_delta():
@@ -85,7 +87,7 @@ def disconnect(request, backend):
     return HttpResponseRedirect(url)
 
 
-def auth_process(request, backend, complete_url_name, 
+def auth_process(request, backend, complete_url_name,
                  default_redirect=DEFAULT_REDIRECT):
     """Authenticate using social backend"""
     redirect = reverse(complete_url_name, args=(backend,))