Module: check_mk
Branch: master
Commit: 6ae4c4bfb7b74437faa751327cf689b4a0deefd7
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=6ae4c4bfb7b744…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Nov 22 10:57:27 2013 +0100
FIX Inventory problem with inventory_processes parameter
---
web/htdocs/login.py | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/web/htdocs/login.py b/web/htdocs/login.py
index 5cb2f23..3d65284 100644
--- a/web/htdocs/login.py
+++ b/web/htdocs/login.py
@@ -175,7 +175,10 @@ def do_login():
raise MKUserError('_password', _('No password given.'))
origtarget = html.var('_origtarget')
- if not origtarget or "logout.py" in origtarget:
+ # Disallow redirections to:
+ # - logout.py: Happens after login
+ # - Full qualified URLs (http://...) to prevent redirection attacks
+ if not origtarget or "logout.py" in origtarget or '://' in
origtarget:
origtarget = defaults.url_prefix + 'check_mk/'
# None -> User unknown, means continue with other connectors