Fix open redirect in Horizon.

LP 1039077. Disallow login redirects to anywhere other than the same origin. Change-Id: I36e8e4f30cf440ecc73534af38fcd8d2a111a603
2012-08-22 12:15:40 -07:00 · 2012-08-22 12:15:40 -07:00 · 35eada8a27
parent 648b07895c
commit 35eada8a27
1 changed files with 8 additions and 1 deletions
--- a/horizon/views/auth_forms.py
+++ b/horizon/views/auth_forms.py
@ -28,6 +28,7 @@ from django import shortcuts
 from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth import REDIRECT_FIELD_NAME
+from django.utils.http import same_origin
 from django.utils.translation import ugettext as _
 from keystoneclient import exceptions as keystone_exceptions

@ -94,7 +95,13 @@ class Login(forms.SelfHandlingForm):
        request.session['region_endpoint'] = endpoint
        request.session['region_name'] = region_name

-        redirect_to = request.REQUEST.get(REDIRECT_FIELD_NAME, "")
+        redirect_to = request.REQUEST.get(REDIRECT_FIELD_NAME, None)
+        # Make sure the requested redirect matches the protocol,
+        # domain, and port of this request
+        if redirect_to and not same_origin(
+                request.build_absolute_uri(redirect_to),
+                request.build_absolute_uri()):
+            redirect_to = None

        if data.get('tenant', None):
            try: