mirror of
https://github.com/nesquena/hermes-webui.git
synced 2026-05-25 11:10:18 +00:00
nesquena-hermes
399f12ac96
PR #1419 (login session TTL + redirect-back + connectivity probe) had a real bug in the server-side ?next= construction: quote(path, safe='/:@!$&'()*+,;=') keeps ? and & literal, so: (a) /api/sessions?limit=50&offset=0 round-trips as /api/sessions?limit=50 — the inner & terminates the outer next= value and offset=0 leaks as a top-level outer query the login page ignores. (b) An attacker-controlled path with embedded &next=https://evil.com injects a second top-level next parameter. Browsers parse first-match (benign), Python parse_qs parses last-match (the evil URL) — the parser-divergence is a footgun even though _safeNextPath() in login.js rejects the actual exploit. Fix: encode the entire path?query blob with safe='/' so ?, &, = all percent-encode. The outer next then holds exactly one path-with-query string the browser auto-decodes once. 6 regression tests in test_v050258_opus_followups.py pin round-trip behavior across simple paths, single-query, multi-param queries, attacker-injection neutralization, and the SESSION_TTL=30d constant. Full suite: 3610 passed, 0 failed.