indico · ThiefMaster · Feb 9, 2025 · Feb 6, 2025 · Feb 9, 2025
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -1,6 +1,11 @@
 Changelog
 =========
 
+Version 0.8
+-----------
+
+- Reject ``next`` URLs containing linebreaks gracefully
+
 Version 0.7
 -----------
 

diff --git a/flask_multipass/core.py b/flask_multipass/core.py
@@ -8,7 +8,7 @@
 from urllib.parse import urlsplit
 
 from flask import current_app, flash, redirect, render_template, request, session, url_for
-from werkzeug.datastructures import ImmutableDict
+from werkzeug.datastructures import Headers, ImmutableDict
 from werkzeug.exceptions import NotFound
 
 from flask_multipass.auth import AuthProvider
@@ -145,6 +145,13 @@ def validate_next_url(self, url):
         If you override this and want to allow more hosts, make sure to use
         a whitelist of trusted hosts to avoid creating an open redirector.
         """
+        # next_url comes as URL param, so it can have newline chars (as %0a and %0d).
+        # In redirect response it goes into header (Location).
+        # Werkzeug doesn't tolerate newline chars in header and raises ValueError.
+        try:
+            Headers([('test-header', url)])
+        except ValueError:
+            return False
         # Browsers treat backslashes like forward slashes, while urllib doesn't.
         # Since we just want to validate scheme and netloc here, we normalize
         # slashes to those recognized by urllib.

diff --git a/tests/test_core.py b/tests/test_core.py
@@ -156,6 +156,10 @@ def test_next_url_invalid():
     ('//localhost/foo', True),
     ('http://localhost', True),
     ('https://localhost/', True),
+    ('\n', False),
+    ('\r', False),
+    ('\n\r', False),
+    ('evil\n', False),
     ('//evil', False),
     ('//evil.com', False),
     ('//evil.com:80', False),