Fix code scanning alert no. 81: URL redirection from remote source

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
EsupPortail · Nov 21, 2024 · 151af7c · 151af7c
1 parent 097edab
commit 151af7c
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/pod/playlist/views.py b/pod/playlist/views.py
@@ -13,7 +13,8 @@
 from django.shortcuts import get_object_or_404, redirect, render
 from django.template.loader import render_to_string
 from django.views.decorators.csrf import csrf_protect, ensure_csrf_cookie
-from django.http import Http404, HttpResponseBadRequest, JsonResponse
+from django.http import Http404, HttpResponseBadRequest, JsonResponse, HttpResponseRedirect
+from django.utils.http import url_has_allowed_host_and_scheme
 from django.db import transaction
 
 from pod.main.utils import is_ajax
@@ -224,7 +225,11 @@ def toggle_render_playlist_user_has_right(
                 messages.ERROR,
                 _("The password is incorrect."),
             )
-            return redirect(request.headers["referer"])
+            referer = request.headers.get("referer", "/")
+            if url_has_allowed_host_and_scheme(referer, allowed_hosts=None):
+                return redirect(referer)
+            else:
+                return redirect('/')
     else:
         form = PlaylistPasswordForm()
         return render(