Fix incorrect redirect protocol used by Flask
Flask's `request.url` uses `http` as the protocol, which breaks instances that enforce `https`, since the session redirect relies on `request.url` for the follow-through URL. This introduces a new method for determining the correct URL to use for these redirects by automatically replacing the protocol with `https` if the `HTTPS_ONLY` env var is set for that instance. Fixes #538 Fixes #545main
parent
0c5578937e
commit
6f5f3d8ca7
|
@ -14,7 +14,7 @@ from app.models.config import Config
|
|||
from app.models.endpoint import Endpoint
|
||||
from app.request import Request, TorError
|
||||
from app.utils.bangs import resolve_bang
|
||||
from app.utils.misc import read_config_bool, get_client_ip
|
||||
from app.utils.misc import read_config_bool, get_client_ip, get_request_url
|
||||
from app.utils.results import add_ip_card
|
||||
from app.utils.results import bold_search_terms
|
||||
from app.utils.search import *
|
||||
|
@ -120,7 +120,7 @@ def before_request_func():
|
|||
return redirect(url_for(
|
||||
'session_check',
|
||||
session_id=session['uuid'],
|
||||
follow=request.url), code=307)
|
||||
follow=get_request_url(request.url)), code=307)
|
||||
else:
|
||||
g.user_config = Config(**session['config'])
|
||||
elif 'cookies_disabled' not in request.args:
|
||||
|
@ -134,13 +134,11 @@ def before_request_func():
|
|||
g.user_config = Config(**default_config)
|
||||
|
||||
if not g.user_config.url:
|
||||
g.user_config.url = request.url_root.replace(
|
||||
'http://',
|
||||
'https://') if os.getenv('HTTPS_ONLY', False) else request.url_root
|
||||
g.user_config.url = get_request_url(request.url_root)
|
||||
|
||||
g.user_request = Request(
|
||||
request.headers.get('User-Agent'),
|
||||
request.url_root,
|
||||
get_request_url(request.url_root),
|
||||
config=g.user_config)
|
||||
|
||||
g.app_location = g.user_config.url
|
||||
|
|
|
@ -23,3 +23,10 @@ def get_client_ip(r: Request) -> str:
|
|||
return r.environ['REMOTE_ADDR']
|
||||
else:
|
||||
return r.environ['HTTP_X_FORWARDED_FOR']
|
||||
|
||||
|
||||
def get_request_url(url: str) -> str:
|
||||
if os.getenv('HTTPS_ONLY', False):
|
||||
return url.replace('http://', 'https://', 1)
|
||||
|
||||
return url
|
||||
|
|
Loading…
Reference in New Issue