From b6d084ce7a1b789730a58f2c5f8dca3f33332d38 Mon Sep 17 00:00:00 2001 From: girst Date: Sat, 27 Jun 2020 21:25:52 +0200 Subject: [PATCH] use ?next in "log in or sign up" link --- app/common/user.py | 4 ++-- app/templates/macros.imp.j2 | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/common/user.py b/app/common/user.py index 45108ef..be4ac11 100644 --- a/app/common/user.py +++ b/app/common/user.py @@ -81,13 +81,13 @@ def init_login(app): user = User.from_name(request.form.get('user')) if user and user.check_password(request.form.get('password')): login_user(user, remember=request.form.get('remember')) - return redirect(url_for('youtube.index')) # XXX: don't hardcode routes of other blueprints! + return redirect(request.args.get('next','/')) # xxx: non-exploitable open redirect! flash('wrong username and/or password', 'error') elif action == 'register': flash("open registration currently closed. ask girst on irc://chat.freenode.net/#invidious if you want an account.", 'info') elif action == 'logout': logout_user() - return redirect(url_for('youtube.index')) # XXX: don't hardcode routes of other blueprints! + return redirect(request.args.get('next','/')) # xxx: non-exploitable open redirect! else: flash('unsupported action', 'error') return redirect(url_for('usermgmt.login_form')) diff --git a/app/templates/macros.imp.j2 b/app/templates/macros.imp.j2 index fe53448..e0c9d77 100644 --- a/app/templates/macros.imp.j2 +++ b/app/templates/macros.imp.j2 @@ -11,7 +11,7 @@ {% if current_user.is_anonymous %} - log in or sign up + log in or sign up {% else %} {{ current_user.name }} (log out) {% endif %} -- 2.39.3