Pēteris Caune 7252f2f101

Fix _allow_redirect function to reject absolute URLs ...

This fixes a security issue:
- attacker can crafts a redirect URL to an external site
- attacker gets victim to click on it
- victim logs in
- after login, Healthchecks redirects victim to the external site

The _allow_redirect function now additionally
requires the redirect URL is relative (has no scheme or domain).

2021-08-06 13:34:40 +03:00

..

management

Update the signup form to collect browser's timezone

2021-05-24 14:38:12 +03:00

migrations

Add support for 2FA using TOTP

2021-07-30 16:43:23 +03:00

tests

Fix _allow_redirect function to reject absolute URLs

2021-08-06 13:34:40 +03:00

__init__.py

Initial commit

2015-06-11 22:12:09 +03:00

admin.py

Add admin action to log in as any user

2021-07-20 11:16:12 +03:00

backends.py

Add http header auth (#457)

2020-12-09 11:25:56 +02:00

decorators.py

Add rate limiting to the sudo code form

2020-11-13 22:04:19 +02:00

forms.py

Add protection against TOTP code reuse

2021-07-30 18:17:21 +03:00

middleware.py

Add http header auth (#457)

2020-12-09 11:25:56 +02:00

models.py

Add support for 2FA using TOTP

2021-07-30 16:43:23 +03:00

urls.py

Add support for 2FA using TOTP

2021-07-30 16:43:23 +03:00

views.py

Fix _allow_redirect function to reject absolute URLs

2021-08-06 13:34:40 +03:00