Skip to content

Bugfix#1685

Open
pxsit wants to merge 4 commits intocms-dev:mainfrom
pxsit:bugfix
Open

Bugfix#1685
pxsit wants to merge 4 commits intocms-dev:mainfrom
pxsit:bugfix

Conversation

@pxsit
Copy link
Copy Markdown
Contributor

@pxsit pxsit commented Apr 22, 2026

Improves the handling of the next page redirection parameter in both the admin and contest handlers.
Fix #1684

pxsit added 2 commits April 22, 2026 12:27
@pxsit
Prevent open redirect in login 'next' handling
436c8c6 
normalize the login "next" parameter in admin and contest login handlers.
@pxsit
Merge branch 'cms-dev:main' into bugfix
f287c31
Copilot AI review requested due to automatic review settings April 22, 2026 04:37
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Improves safety and correctness of handling the next redirection parameter in admin and contest POST handlers to avoid unsafe redirects and better preserve allowed URLs. Fixes #1684.

Changes:

  • Parse next using urllib.parse.urlsplit in both admin and contest handlers.
  • Reject next values that include a scheme/host or don’t start with /, falling back to a safe URL.
  • Preserve query strings for accepted internal paths.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
cms/server/contest/handlers/main.py Uses urlsplit to validate/sanitize next and preserve query parameters for contest redirects.
cms/server/admin/handlers/main.py Uses urlsplit to validate/sanitize next and preserve query parameters for admin redirects.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread cms/server/contest/handlers/main.py Outdated
Comment thread cms/server/admin/handlers/main.py
Comment thread cms/server/admin/handlers/main.py Outdated
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 22, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 3.57143% with 27 lines in your changes missing coverage. Please review.
✅ Project coverage is 54.64%. Comparing base (779f9ff) to head (46800cd).
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
cms/server/admin/handlers/main.py 0.00% 14 Missing ⚠️
cms/server/contest/handlers/main.py 7.14% 13 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1685      +/-   ##
==========================================
- Coverage   54.68%   54.64%   -0.05%     
==========================================
  Files         336      336              
  Lines       27501    27525      +24     
==========================================
+ Hits        15039    15041       +2     
- Misses      12462    12484      +22
Flag Coverage Δ
functionaltests 0.00% <0.00%> (ø)
unittests 54.64% <3.57%> (-0.05%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

pxsit and others added 2 commits April 22, 2026 14:34
@pxsit
Update cms/server/contest/handlers/main.py
2c83bef 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@pxsit
Validate and sanitize 'next' URL in login handlers
46800cd 
Normalize and validate the parsed next-page path in admin and contest login handlers. Handle empty paths by treating them as "/", reject URLs with a scheme or netloc, and refuse path segments that are empty or contain "." or ".." to avoid unsafe redirects or path traversal. Also ensure the query string is preserved when constructing fallback URLs. These changes harden next-parameter handling and fix edge cases when urlsplit.path is empty.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

redirect after login has wrong url

2 participants

@pxsit