Created
March 18, 2017 09:06
-
-
Save tarekziade/6535011234c45bf8aaee41c6c8436b3d to your computer and use it in GitHub Desktop.
White list any 302 locations
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from flask import make_response | |
| from urllib.parse import urlparse | |
| # domain:port | |
| SAFE_DOMAINS = ['ziade.org:443'] | |
| @app.after_request | |
| def check_redirect(response): | |
| if response.status_code != 302: | |
| return response | |
| url = urlparse(response.location) | |
| netloc = url.netloc | |
| if url.scheme == 'http' and not netloc.endswith(':80'): | |
| netloc += ':80' | |
| if url.scheme == 'https' and not netloc.endswith(':443'): | |
| netloc += ':443' | |
| if netloc not in SAFE_DOMAINS: | |
| # not using abort() here or it'll break the hook | |
| return make_response('Forbidden', 403) | |
| return response |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment