From 10da919b19331e0aab3a2bdddda8807c7bdb56f9 Mon Sep 17 00:00:00 2001 From: Vincent Untz Date: Mon, 20 Aug 2012 14:49:19 +0200 Subject: [PATCH] Only accept redirect when logging in if redirecting to same host We don't want http://10.122.185.2/auth/login/?next=http://www.suse.com to redirect to http://www.suse.com. This could be used for phishing. Change-Id: Ibda849507478eb144ffb1908a13f4ce574406108 --- horizon/views/auth_forms.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/horizon/views/auth_forms.py b/horizon/views/auth_forms.py index 2ebecfc..e0d27aa 100644 --- a/horizon/views/auth_forms.py +++ b/horizon/views/auth_forms.py @@ -23,6 +23,7 @@ Forms used for Horizon's auth mechanisms. """ import logging +import urlparse from django import shortcuts from django.conf import settings @@ -95,6 +96,10 @@ class Login(forms.SelfHandlingForm): request.session['region_name'] = region_name redirect_to = request.REQUEST.get(REDIRECT_FIELD_NAME, "") + if redirect_to: + netloc = urlparse.urlparse(redirect_to)[1] + if netloc and netloc != request.get_host(): + redirect_to = "" if data.get('tenant', None): try: -- 1.7.10.4