Skip to content

Bugfix#1685

Merged
prandla merged 6 commits intocms-dev:mainfrom
pxsit:bugfix
Apr 23, 2026
Merged

Bugfix#1685
prandla merged 6 commits intocms-dev:mainfrom
pxsit:bugfix

Conversation

@pxsit
Copy link
Copy Markdown
Contributor

@pxsit pxsit commented Apr 22, 2026

Improves the handling of the next page redirection parameter in both the admin and contest handlers.
Fix #1684

pxsit added 2 commits April 22, 2026 12:27
@pxsit
Prevent open redirect in login 'next' handling
436c8c6 
normalize the login "next" parameter in admin and contest login handlers.
@pxsit
Merge branch 'cms-dev:main' into bugfix
f287c31
Copilot AI review requested due to automatic review settings April 22, 2026 04:37
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Improves safety and correctness of handling the next redirection parameter in admin and contest POST handlers to avoid unsafe redirects and better preserve allowed URLs. Fixes #1684.

Changes:

  • Parse next using urllib.parse.urlsplit in both admin and contest handlers.
  • Reject next values that include a scheme/host or don’t start with /, falling back to a safe URL.
  • Preserve query strings for accepted internal paths.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
cms/server/contest/handlers/main.py Uses urlsplit to validate/sanitize next and preserve query parameters for contest redirects.
cms/server/admin/handlers/main.py Uses urlsplit to validate/sanitize next and preserve query parameters for admin redirects.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread cms/server/contest/handlers/main.py Outdated
Comment thread cms/server/admin/handlers/main.py
Comment thread cms/server/admin/handlers/main.py Outdated
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 22, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 16.66667% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 54.17%. Comparing base (66475db) to head (41aa0c9).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
cms/server/util.py 14.28% 12 Missing ⚠️
cms/server/admin/handlers/main.py 0.00% 2 Missing ⚠️
cms/server/contest/handlers/main.py 50.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1685      +/-   ##
==========================================
- Coverage   54.18%   54.17%   -0.02%     
==========================================
  Files         340      340              
  Lines       27835    27844       +9     
==========================================
+ Hits        15083    15085       +2     
- Misses      12752    12759       +7
Flag Coverage Δ
functionaltests 0.00% <0.00%> (ø)
unittests 54.17% <16.66%> (-0.02%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

pxsit and others added 2 commits April 22, 2026 14:34
@pxsit
Update cms/server/contest/handlers/main.py
2c83bef 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@pxsit
Validate and sanitize 'next' URL in login handlers
46800cd 
Normalize and validate the parsed next-page path in admin and contest login handlers. Handle empty paths by treating them as "/", reject URLs with a scheme or netloc, and refuse path segments that are empty or contain "." or ".." to avoid unsafe redirects or path traversal. Also ensure the query string is preserved when constructing fallback URLs. These changes harden next-parameter handling and fix edge cases when urlsplit.path is empty.
prandla
prandla requested changes Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@prandla prandla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there's a bunch of code that's duplicated between the CWS and AWS parts now. i'd suggest moving them into a helper function in cms/server/util.py.

Comment thread cms/server/admin/handlers/main.py Outdated
@pxsit pxsit requested a review from prandla April 23, 2026 13:06
@prandla prandla merged commit c682a55 into cms-dev:main Apr 23, 2026
3 of 4 checks passed
@pxsit pxsit deleted the bugfix branch April 24, 2026 06:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@prandla prandla prandla approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

redirect after login has wrong url

3 participants

@pxsit @prandla