openstack
/
horizon
Code Issues Proposed changes

Merge "Fix open redirect" into stable/queens

This commit is contained in:
Zuul 2020-12-26 18:09:50 +00:00 committed by Gerrit Code Review
parent 301c34b911 8825407c1b
commit 24092dc9cb
3 changed files with 42 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
horizon/test/unit/workflows/test_workflows.py
View File

@ -14,8 +14,8 @@
from django import forms from django import forms
from django import http from django import http
from django.test.utils import override_settings
import mock import mock
import six import six
from horizon import exceptions from horizon import exceptions
@ -360,3 +360,27 @@ class WorkflowsTests(test.TestCase):
flow = TestWorkflow(req, entry_point="test_action_two") flow = TestWorkflow(req, entry_point="test_action_two")
self.assertEqual("test_action_two", flow.get_entry_point()) self.assertEqual("test_action_two", flow.get_entry_point())
@override_settings(ALLOWED_HOSTS=['localhost'])
def test_redirect_url_safe(self):
url = 'http://localhost/test'
view = TestWorkflowView()
request = self.factory.get("/", data={
'next': url,
})
request.META['SERVER_NAME'] = "localhost"
view.request = request
context = view.get_context_data()
self.assertEqual(url, context['REDIRECT_URL'])
@override_settings(ALLOWED_HOSTS=['localhost'])
def test_redirect_url_unsafe(self):
url = 'http://evilcorp/test'
view = TestWorkflowView()
request = self.factory.get("/", data={
'next': url,
})
request.META['SERVER_NAME'] = "localhost"
view.request = request
context = view.get_context_data()
self.assertIsNone(context['REDIRECT_URL'])

12
horizon/workflows/views.py
View File

@ -18,6 +18,7 @@ import json
from django import forms from django import forms
from django import http from django import http
from django import shortcuts from django import shortcuts
from django.utils import http as utils_http
from django.views import generic from django.views import generic
import six import six
@ -92,8 +93,15 @@ class WorkflowView(hz_views.ModalBackdropMixin, generic.TemplateView):
workflow = self.get_workflow() workflow = self.get_workflow()
workflow.verify_integrity() workflow.verify_integrity()
context[self.context_object_name] = workflow context[self.context_object_name] = workflow
next = self.request.GET.get(workflow.redirect_param_name)
context['REDIRECT_URL'] = next redirect_to = self.request.GET.get(workflow.redirect_param_name)
# Make sure the requested redirect is safe
if redirect_to and not utils_http.is_safe_url(
url=redirect_to,
host=self.request.get_host()):
redirect_to = None
context['REDIRECT_URL'] = redirect_to
context['layout'] = self.get_layout() context['layout'] = self.get_layout()
# For consistency with Workflow class # For consistency with Workflow class
context['modal'] = 'modal' in context['layout'] context['modal'] = 'modal' in context['layout']

7
releasenotes/notes/bug-cd9099c1ba78d637.yaml Normal file
View File

@ -0,0 +1,7 @@
---
security:
- |
An open redirect has been fixed, that could redirect users to arbitrary
addresses from certain views by specifying a "next" parameter in the URL.
Now the redirect will only work if the target URL is in the same domain,
and uses the same protocol.