[OSSA-2020-008] Open redirect in workflow forms (CVE-2020-29565)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Fix Released
|
Undecided
|
Radomir Dopieralski | ||
OpenStack Security Advisory |
Fix Released
|
Medium
|
Gage Hugo |
Bug Description
This affects all released versions of Horizon.
It is possible to make Horizon redirect to an arbitrary URL:
Steps of Reproduction:
1. Visit https:/
2. Click on Instances
3. Pick any available instance and click on it.
4. On Right side - Click on Down arrow button
5. Hover on 'Edit Instance' and copy its link location and open in the same browser in the same tab.
6. It will look like:
https:/
7. It will redirect the page to Evil.com.
CVE References
description: | updated |
Changed in horizon: | |
assignee: | nobody → Radomir Dopieralski (deshipu) |
status: | New → In Progress |
summary: |
- Open redirect in workflow forms + Open redirect in workflow forms (CVE-2020-29565) |
It looks like we have no validation on the "next" parameter, that is getting passed to the target attribute of the form.
A possible fix could look like this:
diff --git a/horizon/ workflows/ views.py b/horizon/ workflows/ views.py .2caf969e3 100644 workflows/ views.py workflows/ views.py hz_views. ModalBackdropMi xin, generic. TemplateView) :
workflow. verify_ integrity( )
context[ self.context_ object_ name] = workflow GET.get( workflow. redirect_ param_name) 'REDIRECT_ URL'] = next GET.get( workflow. redirect_ param_name) build_absolute_ uri(redirect_ to), build_absolute_ uri()): 'REDIRECT_ URL'] = redirect_to
context[ 'layout' ] = self.get_layout()
context[ 'modal' ] = 'modal' in context['layout']
index 9c8fe1a27.
--- a/horizon/
+++ b/horizon/
@@ -90,8 +90,14 @@ class WorkflowView(
workflow = self.get_workflow()
- next = self.request.
- context[
+ redirect_to = self.request.
+ # Make sure the requested redirect matches the protocol,
+ # domain, and port of this request
+ if redirect_to and not http.same_origin(
+ request.
+ request.
+ redirect_to = None
+ context[
# For consistency with Workflow class