diff --git a/apps/jumpserver/middleware.py b/apps/jumpserver/middleware.py index 54bb886dd..0b525f021 100644 --- a/apps/jumpserver/middleware.py +++ b/apps/jumpserver/middleware.py @@ -10,8 +10,8 @@ import pytz from django.conf import settings from django.core.exceptions import MiddlewareNotUsed from django.db.utils import OperationalError -from django.middleware.csrf import CsrfViewMiddleware from django.http.response import HttpResponseForbidden, JsonResponse +from django.middleware.csrf import CsrfViewMiddleware from django.shortcuts import HttpResponse from django.shortcuts import redirect from django.urls import reverse @@ -19,7 +19,6 @@ from django.utils import timezone from rest_framework import status from .utils import set_current_request -from common.utils.common import text_hmac_sha256 IGNORE_CSRF_CHECK = '*' in os.getenv("DOMAINS", "").split(',') @@ -184,6 +183,8 @@ class SafeRedirectMiddleware: return response target_host, target_port = self._split_host_port(parsed.netloc) origin_host, origin_port = self._split_host_port(request.get_host()) + if self.check_proxy_origin_verified(request, origin_host): + return response if target_host != origin_host: safe_redirect_url = '%s?%s' % (reverse('redirect-confirm'), f'next={quote(location)}') return redirect(safe_redirect_url) @@ -196,6 +197,12 @@ class SafeRedirectMiddleware: return host, port return netloc, '80' + def check_proxy_origin_verified(self, request, origin_host): + if settings.USE_X_FORWARDED_HOST and ("HTTP_X_FORWARDED_HOST" in request.META): + proxy_host, proxy_port = self._split_host_port(request.META["HTTP_X_FORWARDED_HOST"]) + return proxy_host == origin_host + return False + class CsrfCheckMiddleware(CsrfViewMiddleware): def _origin_verified(self, request):