Fix open redirect in Horizon.

LP 1039077. Disallow login redirects to anywhere other than the same origin. Change-Id: I36e8e4f30cf440ecc73534af38fcd8d2a111a603
openstack · Aug 30, 2012 · 35eada8 · 35eada8
1 parent 648b078
commit 35eada8
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/horizon/views/auth_forms.py b/horizon/views/auth_forms.py
@@ -28,6 +28,7 @@
 from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth import REDIRECT_FIELD_NAME
+from django.utils.http import same_origin
 from django.utils.translation import ugettext as _
 from keystoneclient import exceptions as keystone_exceptions
 
@@ -94,7 +95,13 @@ def handle(self, request, data):
         request.session['region_endpoint'] = endpoint
         request.session['region_name'] = region_name
 
-        redirect_to = request.REQUEST.get(REDIRECT_FIELD_NAME, "")
+        redirect_to = request.REQUEST.get(REDIRECT_FIELD_NAME, None)
+        # Make sure the requested redirect matches the protocol,
+        # domain, and port of this request
+        if redirect_to and not same_origin(
+                request.build_absolute_uri(redirect_to),
+                request.build_absolute_uri()):
+            redirect_to = None
 
         if data.get('tenant', None):
             try: