Added validation for csrf_failure GET argument

During csrf_failure argument validation horizon drops unknown messages
so nobody can't inject any message to login view.

Change-Id: I78a7592562a6249629f4d236ca59eb83d9094123
Closes-Bug: #1898465

openstack_auth/tests/unit/test_views.py

@@ -0,0 +1,38 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from django.middleware import csrf
+from django import test
+
+from openstack_auth import views
+
+
+class CsrfTestCase(test.TestCase):
+    COOKIES_OFF_MSG = ("Cookies may be turned off. "
+                       "Make sure cookies are enabled and try again.")
+
+    def test_no_csrf(self):
+        reason = views.get_csrf_reason(None)
+        self.assertIsNone(reason)
+
+    def test_valid_csrf(self):
+        reason = views.get_csrf_reason(csrf.REASON_NO_CSRF_COOKIE)
+        expected = csrf.REASON_NO_CSRF_COOKIE + " " + self.COOKIES_OFF_MSG
+
+        self.assertEqual(expected, reason)
+
+    def test_invalid_csrf(self):
+        reason = views.get_csrf_reason("error message")
+        expected = self.COOKIES_OFF_MSG
+
+        self.assertEqual(expected, reason)

openstack_auth/views.py

@@ -19,6 +19,7 @@ from django.contrib.auth.decorators import login_required
 from django.contrib.auth import views as django_auth_views
 from django.contrib import messages
 from django import http as django_http
+from django.middleware import csrf
 from django import shortcuts
 from django.urls import reverse
 from django.utils import functional
@@ -47,6 +48,24 @@ from openstack_auth import utils
 LOG = logging.getLogger(__name__)
 
 
+def get_csrf_reason(reason):
+    if not reason:
+        return
+
+    if reason not in [csrf.REASON_NO_REFERER,
+                      csrf.REASON_BAD_REFERER,
+                      csrf.REASON_NO_CSRF_COOKIE,
+                      csrf.REASON_BAD_TOKEN,
+                      csrf.REASON_MALFORMED_REFERER,
+                      csrf.REASON_INSECURE_REFERER]:
+        reason = ""
+    else:
+        reason += " "
+    reason += str(_("Cookies may be turned off. "
+                    "Make sure cookies are enabled and try again."))
+    return reason
+
+
 # TODO(stephenfin): Migrate to CBV
 @sensitive_post_parameters()
 @csrf_protect
@@ -102,9 +121,10 @@ def login(request):
         form = functional.curry(forms.Login, initial=initial)
 
     choices = settings.WEBSSO_CHOICES
+    reason = get_csrf_reason(request.GET.get('csrf_failure'))
     extra_context = {
         'redirect_field_name': auth.REDIRECT_FIELD_NAME,
-        'csrf_failure': request.GET.get('csrf_failure'),
+        'csrf_failure': reason,
         'show_sso_opts': settings.WEBSSO_ENABLED and len(choices) > 1,
         'classes': {
             'value': '',

openstack_dashboard/views.py

@@ -21,7 +21,6 @@ from django import http
 from django import shortcuts
 from django import urls
 from django.utils.encoding import smart_text
-from django.utils.translation import ugettext as _
 import django.views.decorators.vary
 from django.views.generic import TemplateView
 
@@ -110,11 +109,6 @@ class ExtensibleHeaderView(TemplateView):
 
 
 def csrf_failure(request, reason=""):
-    if reason:
-        reason += " "
-    reason += _("Cookies may be turned off. "
-                "Make sure cookies are enabled and try again.")
-
     url = settings.LOGIN_URL + "?csrf_failure=%s" % urllib.parse.quote(reason)
     response = http.HttpResponseRedirect(url)
     return response