From 07325eb90ea9bf6c20143678a00f8ccfb1e76f98 Mon Sep 17 00:00:00 2001
From: Radomir Dopieralski <openstack@sheep.art.pl>
Date: Wed, 1 Sep 2021 18:01:41 +0200
Subject: [PATCH] Escape unicode characters when setting logout_reason cookie

Change-Id: Ic61a3958461a4a939acc40d1039881e2d4c3a1cd
Closes-bug: #1894801
(cherry picked from commit e68e23937341d03be7475d71903f31a61403c1e2)
---
 horizon/templates/auth/_login_form.html    |  6 +++---
 horizon/templates/auth/_password_form.html |  6 +++---
 horizon/utils/functions.py                 |  2 +-
 openstack_auth/views.py                    | 18 ++++++++++++++----
 4 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/horizon/templates/auth/_login_form.html b/horizon/templates/auth/_login_form.html
index 66ce8ff194..a4a4abad5c 100644
--- a/horizon/templates/auth/_login_form.html
+++ b/horizon/templates/auth/_login_form.html
@@ -52,13 +52,13 @@
             </p>
           </div>
         {% endif  %}
-        {% if request.COOKIES.logout_reason %}
-          {% if request.COOKIES.logout_status == "success" %}
+        {% if logout_reason %}
+          {% if logout_status == "success" %}
             <div class="form-group clearfix error help-block alert alert-success" id="logout_reason">
           {% else %}
             <div class="form-group clearfix error help-block alert alert-danger" id="logout_reason">
           {% endif %}
-              <p>{{ request.COOKIES.logout_reason }}</p>
+              <p>{{ logout_reason }}</p>
             </div>
         {% endif %}
         {% if csrf_failure %}
diff --git a/horizon/templates/auth/_password_form.html b/horizon/templates/auth/_password_form.html
index 45ed92011c..3968e767ec 100644
--- a/horizon/templates/auth/_password_form.html
+++ b/horizon/templates/auth/_password_form.html
@@ -31,13 +31,13 @@
         </div>
       {%endif%}
       <fieldset hz-login-finder>
-        {% if request.COOKIES.logout_reason %}
-          {% if request.COOKIES.logout_status == "success" %}
+        {% if logout_reason %}
+          {% if logout_status == "success" %}
             <div class="form-group clearfix error help-block alert alert-success" id="logout_reason">
           {% else %}
             <div class="form-group clearfix error help-block alert alert-danger" id="logout_reason">
           {% endif %}
-              <p>{{ request.COOKIES.logout_reason }}</p>
+              <p>{{ logout_reason }}</p>
             </div>
         {% endif %}
         {% include "horizon/common/_form_fields.html" %}
diff --git a/horizon/utils/functions.py b/horizon/utils/functions.py
index 1052c8ff82..d454156afe 100644
--- a/horizon/utils/functions.py
+++ b/horizon/utils/functions.py
@@ -43,7 +43,7 @@ def add_logout_reason(request, response, reason, status='success'):
     # Store the translated string in the cookie
     lang = translation.get_language_from_request(request)
     with translation.override(lang):
-        reason = str(reason)
+        reason = force_text(reason).encode('unicode_escape').decode('ascii')
         response.set_cookie('logout_reason', reason, max_age=10)
         response.set_cookie('logout_status', status, max_age=10)
 
diff --git a/openstack_auth/views.py b/openstack_auth/views.py
index 353dc99157..451ac8422b 100644
--- a/openstack_auth/views.py
+++ b/openstack_auth/views.py
@@ -66,6 +66,11 @@ def get_csrf_reason(reason):
     return reason
 
 
+def set_logout_reason(res, msg):
+    msg = msg.encode('unicode_escape').decode('ascii')
+    res.set_cookie('logout_reason', msg, max_age=10)
+
+
 # TODO(stephenfin): Migrate to CBV
 @sensitive_post_parameters()
 @csrf_protect
@@ -122,6 +127,9 @@ def login(request):
 
     choices = settings.WEBSSO_CHOICES
     reason = get_csrf_reason(request.GET.get('csrf_failure'))
+    logout_reason = request.COOKIES.get(
+        'logout_reason', '').encode('ascii').decode('unicode_escape')
+    logout_status = request.COOKIES.get('logout_status')
     extra_context = {
         'redirect_field_name': auth.REDIRECT_FIELD_NAME,
         'csrf_failure': reason,
@@ -131,6 +139,8 @@ def login(request):
             'single_value': '',
             'label': '',
         },
+        'logout_reason': logout_reason,
+        'logout_status': logout_status,
     }
 
     if request.is_ajax():
@@ -150,7 +160,7 @@ def login(request):
         res = django_http.HttpResponseRedirect(
             reverse('password', args=[exc.user_id]))
         msg = _("Your password has expired. Please set a new password.")
-        res.set_cookie('logout_reason', msg, max_age=10)
+        set_logout_reason(res, msg)
 
     # Save the region in the cookie, this is used as the default
     # selected region next time the Login form loads.
@@ -201,7 +211,7 @@ def websso(request):
         else:
             msg = 'Login failed: %s' % exc
             res = django_http.HttpResponseRedirect(settings.LOGIN_URL)
-            res.set_cookie('logout_reason', msg, max_age=10)
+            set_logout_reason(res, msg)
         return res
 
     auth_user.set_session_from_user(request, request.user)
@@ -373,7 +383,7 @@ def switch_keystone_provider(request, keystone_provider=None,
         except exceptions.KeystoneAuthException as exc:
             msg = 'Keystone provider switch failed: %s' % exc
             res = django_http.HttpResponseRedirect(settings.LOGIN_URL)
-            res.set_cookie('logout_reason', msg, max_age=10)
+            set_logout_reason(res, msg)
             return res
         auth.login(request, request.user)
         auth_user.set_session_from_user(request, request.user)
@@ -403,5 +413,5 @@ class PasswordView(edit_views.FormView):
         # We have no session here, so regular messages don't work.
         msg = _('Password changed. Please log in to continue.')
         res = django_http.HttpResponseRedirect(self.success_url)
-        res.set_cookie('logout_reason', msg, max_age=10)
+        set_logout_reason(res, msg)
         return res