Flask-login doc says we should validate next using next_is_valid()
, but I can't find any such method:
Warning: You MUST validate the value of the next parameter. If you do not, your application will be vulnerable to open redirects.
@app.route('/login', methods=['GET', 'POST'])
def login():
# Here we use a class of some kind to represent and validate our
# client-side form data. For example, WTForms is a library that will
# handle this for us.
form = LoginForm()
if form.validate_on_submit():
# Login and validate the user.
login_user(user)
flask.flash('Logged in successfully.')
next = flask.request.args.get('next')
if not next_is_valid(next):
return flask.abort(400)
return flask.redirect(next or flask.url_for('index'))
return flask.render_template('login.html', form=form)
Running this I get the error:
NameError: global name 'next_is_valid' is not defined
And if I do:
from flask.ext.login import next_is_valid
>> ImportError: cannot import name next_is_valid
Where is the next_is_valid()
function, and if it doesn't exist, how do I validate the next
parameter?
It doesn't say you must validate next
with next_is_valid
, only that
You MUST validate the value of the next parameter.
next_is_valid
is just an example function.
You must determine if next
is valid based on your own criteria. next
is the url to redirect to on a successful login. If you have any permissions to apply or restrictions on your site this is where you would want to make sure they are enforced.
For example, a user could attempt to login with the request url http://example.com/login?next=admin/delete/all/users
. If the login attempt was successful and the admin permission was not checked within your login function or on the endpoint itself, well, bad things could happen. It all depends on how you structure your application and control access to individual endpoints.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With