From b5d7f641270d2283f0b4ab5e4767c86e4e18bf9b Mon Sep 17 00:00:00 2001 From: Paul McMillan Date: Wed, 22 Aug 2012 12:15:40 -0700 Subject: [PATCH] Fix open redirect in Horizon. LP 1039077. Disallow login redirects to anywhere other than the same origin. Change-Id: I36e8e4f30cf440ecc73534af38fcd8d2a111a603 --- horizon/views/auth_forms.py | 9 ++++++++- 1 files changed, 8 insertions(+), 1 deletions(-) diff --git a/horizon/views/auth_forms.py b/horizon/views/auth_forms.py index 2ebecfc..abf0880 100644 --- a/horizon/views/auth_forms.py +++ b/horizon/views/auth_forms.py @@ -28,6 +28,7 @@ from django import shortcuts from django.conf import settings from django.contrib import messages from django.contrib.auth import REDIRECT_FIELD_NAME +from django.utils.http import same_origin from django.utils.translation import ugettext as _ from keystoneclient import exceptions as keystone_exceptions @@ -94,7 +95,13 @@ class Login(forms.SelfHandlingForm): request.session['region_endpoint'] = endpoint request.session['region_name'] = region_name - redirect_to = request.REQUEST.get(REDIRECT_FIELD_NAME, "") + redirect_to = request.REQUEST.get(REDIRECT_FIELD_NAME, None) + # Make sure the requested redirect matches the protocol, + # domain, and port of this request + if redirect_to and not same_origin( + request.build_absolute_uri(redirect_to), + request.build_absolute_uri()): + redirect_to = None if data.get('tenant', None): try: -- 1.7.5.4