Browse Source

Merge "Fix open redirect" into stable/queens

changes/10/776310/1
Zuul 5 months ago
committed by Gerrit Code Review
parent
commit
24092dc9cb
3 changed files with 42 additions and 3 deletions
  1. +25
    -1
      horizon/test/unit/workflows/test_workflows.py
  2. +10
    -2
      horizon/workflows/views.py
  3. +7
    -0
      releasenotes/notes/bug-cd9099c1ba78d637.yaml

+ 25
- 1
horizon/test/unit/workflows/test_workflows.py View File

@ -14,8 +14,8 @@
from django import forms
from django import http
from django.test.utils import override_settings
import mock
import six
from horizon import exceptions
@ -360,3 +360,27 @@ class WorkflowsTests(test.TestCase):
flow = TestWorkflow(req, entry_point="test_action_two")
self.assertEqual("test_action_two", flow.get_entry_point())
@override_settings(ALLOWED_HOSTS=['localhost'])
def test_redirect_url_safe(self):
url = 'http://localhost/test'
view = TestWorkflowView()
request = self.factory.get("/", data={
'next': url,
})
request.META['SERVER_NAME'] = "localhost"
view.request = request
context = view.get_context_data()
self.assertEqual(url, context['REDIRECT_URL'])
@override_settings(ALLOWED_HOSTS=['localhost'])
def test_redirect_url_unsafe(self):
url = 'http://evilcorp/test'
view = TestWorkflowView()
request = self.factory.get("/", data={
'next': url,
})
request.META['SERVER_NAME'] = "localhost"
view.request = request
context = view.get_context_data()
self.assertIsNone(context['REDIRECT_URL'])

+ 10
- 2
horizon/workflows/views.py View File

@ -18,6 +18,7 @@ import json
from django import forms
from django import http
from django import shortcuts
from django.utils import http as utils_http
from django.views import generic
import six
@ -92,8 +93,15 @@ class WorkflowView(hz_views.ModalBackdropMixin, generic.TemplateView):
workflow = self.get_workflow()
workflow.verify_integrity()
context[self.context_object_name] = workflow
next = self.request.GET.get(workflow.redirect_param_name)
context['REDIRECT_URL'] = next
redirect_to = self.request.GET.get(workflow.redirect_param_name)
# Make sure the requested redirect is safe
if redirect_to and not utils_http.is_safe_url(
url=redirect_to,
host=self.request.get_host()):
redirect_to = None
context['REDIRECT_URL'] = redirect_to
context['layout'] = self.get_layout()
# For consistency with Workflow class
context['modal'] = 'modal' in context['layout']


+ 7
- 0
releasenotes/notes/bug-cd9099c1ba78d637.yaml View File

@ -0,0 +1,7 @@
---
security:
- |
An open redirect has been fixed, that could redirect users to arbitrary
addresses from certain views by specifying a "next" parameter in the URL.
Now the redirect will only work if the target URL is in the same domain,
and uses the same protocol.

Loading…
Cancel
Save