You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A while back, I removed redirect-on-login functionality from CourtListener because it was exposing a vulnerability in Python. I reported the Python vulnerability, and it was fixed:
But it was kind of a mess, honestly. The volunteer that fixed it didn't check if the WHATWG test suite passed properly, and just focused on the small vuln that I reported. I'm pretty sure urlparse is still parsing things incorrectly and probably still vulnerable, so I didn't reinstate our redirect-on-login functionality even once Python was "fixed."
Now, when people login, they just go to the homepage, and bots.law inherited this functionality. Lame.
There is, however, hope. A new library called Ada actually passes the WHATWG test suite, is fast, has Python bindings, and seems really great:
Hey @anonrig, thanks for offering! It sounds like getting Django to do this themselves isn't going to happen unless somebody demonstrates that the WHATHG test suite is still vulnerable in Python, and I don't think I'll have time to do that.
So, I think what that means is we'd like to use Ada to do our redirects in CourtListener when people log in.
I don't imagine you're familiar enough with Django (and interested enough) to take a stab at that, are you?
I actually suspect your time would be better spent convincing Django devs they should worry about this more...
A while back, I removed redirect-on-login functionality from CourtListener because it was exposing a vulnerability in Python. I reported the Python vulnerability, and it was fixed:
https://bugs.python.org/issue43882
But it was kind of a mess, honestly. The volunteer that fixed it didn't check if the WHATWG test suite passed properly, and just focused on the small vuln that I reported. I'm pretty sure
urlparse
is still parsing things incorrectly and probably still vulnerable, so I didn't reinstate our redirect-on-login functionality even once Python was "fixed."Now, when people login, they just go to the homepage, and bots.law inherited this functionality. Lame.
There is, however, hope. A new library called Ada actually passes the WHATWG test suite, is fast, has Python bindings, and seems really great:
https://github.com/ada-url/ada?tab=readme-ov-file
Maybe we should use it and make it so redirect-on-login works again.
But before we do that, I wanted to see if Django would integrate Ada directly, so I opened an discussion about that here:
https://groups.google.com/g/django-developers/c/Zp9mKpBn4u8
If we get a 👍 from them, we should just add it to Django, wait for that, and then fix our redirect system.
If it gets a 👎, we should just use Ada ourselves to fix our redirect system.
The text was updated successfully, but these errors were encountered: