preselected field in browser will redirect to user-specified url

[Michael Ching <michaelc@…>]

The "preselected" variable is used to form a redirect in the browser sub-system and will allow redirects to any URL.

For example "​http://trac.edgewall.org/demo-0.12/browser?preselected=http://www.python.org" will redirect to python.org. This can be used to mask the identity of links.

Depending on what other systems are using this link, this could perhaps be avoided by checking that the arg starts with a '/' and that it contains '/browser/'.

diff -ru Trac-0.11.7/trac/versioncontrol/web_ui/browser.py trac-0.11.7/trac/versioncontrol/web_ui/browser.py
--- Trac-0.11.7/trac/versioncontrol/web_ui/browser.py	2010-03-09 16:49:38.000000000 -0600
+++ trac-0.11.7/trac/versioncontrol/web_ui/browser.py	2010-07-23 04:23:47.000000000 -0500
@@ -319,7 +319,7 @@
 
     def process_request(self, req):
         go_to_preselected = req.args.get('preselected')
-        if go_to_preselected:
+        if go_to_preselected and go_to_preselected.startswith('/') and go_to_preselected.find('/browser/') > -1:
             req.redirect(go_to_preselected)
 
         path = req.args.get('path', '/')

[Remy Blank]

Interesting. I wonder why we use absolute URLs at all, instead of relative URLs. Is this preselected= argument part of a public API, or could we just change it to only accept relative URLs?

For reference, in the processing of /login, we check that the referer is in the same site. The same applies to the referer= argument (though we could also only use relative URLs there).

[Remy Blank]

My bad, we use relative URLs for preselected=, and it's used for the quickjump functionality in the repository browser. So we can actually check that preselected starts with req.href.browser(). Fixed in [9977].