Fix success_url parameter issue for Edit Snapshot

The "success_url" param is used when updating the project snapshot
[1] and it lacks sanitizing the input URL that allows an attacker to
redirect the user to another website. This patch update 'Updateview'
class to not use the "sucess_url" method.

Closes-bug: #1982676

[1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/snapshots/views.py#L109

Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b
(cherry picked from commit 79d1395942)
This commit is contained in:
manchandavishal 2022-09-14 22:17:58 +05:30
parent ee06d9e295
commit beed6bf6f6

View File

@ -12,7 +12,6 @@
from django.urls import reverse from django.urls import reverse
from django.urls import reverse_lazy from django.urls import reverse_lazy
from django.utils.http import urlencode
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from horizon import exceptions from horizon import exceptions
@ -104,11 +103,8 @@ class UpdateView(forms.ModalFormView):
def get_context_data(self, **kwargs): def get_context_data(self, **kwargs):
context = super().get_context_data(**kwargs) context = super().get_context_data(**kwargs)
context['snapshot'] = self.get_object() context['snapshot'] = self.get_object()
success_url = self.request.GET.get('success_url', "")
args = (self.kwargs['snapshot_id'],) args = (self.kwargs['snapshot_id'],)
params = urlencode({"success_url": success_url}) context['submit_url'] = reverse(self.submit_url, args=args)
context['submit_url'] = "?".join([reverse(self.submit_url, args=args),
params])
return context return context
def get_initial(self): def get_initial(self):
@ -117,12 +113,6 @@ class UpdateView(forms.ModalFormView):
'name': snapshot.name, 'name': snapshot.name,
'description': snapshot.description} 'description': snapshot.description}
def get_success_url(self):
success_url = self.request.GET.get(
"success_url",
reverse_lazy("horizon:project:snapshots:index"))
return success_url
class DetailView(tabs.TabView): class DetailView(tabs.TabView):
tab_group_class = vol_snapshot_tabs.SnapshotDetailTabs tab_group_class = vol_snapshot_tabs.SnapshotDetailTabs