Bug#686323: unblock: horizon/2012.1.1-4

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#686323: unblock: horizon/2012.1.1-4
From: Thomas Goirand <zigo@debian.org>
Date: Fri, 31 Aug 2012 14:49:53 +0800
Message-id: <[🔎] 20120831064953.23834.93250.reportbug@buzig.gplhost.com>
Reply-to: Thomas Goirand <zigo@debian.org>, 686323@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package horizon/2012.1.1-4

This fixes CVE-2012-3540, which was embargoed until yesterday.
Diff file attached.

Cheers,

Thomas Goirand (zigo)

diff --git a/debian/changelog b/debian/changelog
index 2a90c43..2451460 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+horizon (2012.1.1-4) unstable; urgency=high
+
+  * CVE-2012-3540: added patch: Disallow login redirects to anywhere other than
+  the same origin (Closes: #686050).
+
+ -- Thomas Goirand <zigo@debian.org>  Tue, 28 Aug 2012 03:05:44 +0000
+
 horizon (2012.1.1-3) unstable; urgency=low
 
   [ Thomas Goirand ]
diff --git a/debian/patches/CVE-2012-3540_disallow_login_redirect_other_than_same_origin.patch b/debian/patches/CVE-2012-3540_disallow_login_redirect_other_than_same_origin.patch
new file mode 100644
index 0000000..4e1f5d5
--- /dev/null
+++ b/debian/patches/CVE-2012-3540_disallow_login_redirect_other_than_same_origin.patch
@@ -0,0 +1,31 @@
+Description: Disallow login redirects to anywhere other than the same origin.
+Author: Paul McMillan <paul.mcmillan@nebula.com>
+Origin: upstream
+Bug-Debian: http://bugs.debian.org/686050
+Bug-Ubuntu: https://launchpad.net/bugs/1039077
+
+--- horizon-2012.1.1.orig/horizon/views/auth_forms.py
++++ horizon-2012.1.1/horizon/views/auth_forms.py
+@@ -28,6 +28,7 @@ from django import shortcuts
+ from django.conf import settings
+ from django.contrib import messages
+ from django.contrib.auth import REDIRECT_FIELD_NAME
++from django.utils.http import same_origin
+ from django.utils.translation import ugettext as _
+ from keystoneclient import exceptions as keystone_exceptions
+ 
+@@ -94,7 +95,13 @@ class Login(forms.SelfHandlingForm):
+         request.session['region_endpoint'] = endpoint
+         request.session['region_name'] = region_name
+ 
+-        redirect_to = request.REQUEST.get(REDIRECT_FIELD_NAME, "")
++        redirect_to = request.REQUEST.get(REDIRECT_FIELD_NAME, None)
++        # Make sure the requested redirect matches the protocol,
++        # domain, and port of this request
++        if redirect_to and not same_origin(
++                request.build_absolute_uri(redirect_to),
++                request.build_absolute_uri()):
++            redirect_to = None
+ 
+         if data.get('tenant', None):
+             try:
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..3d6a997
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2012-3540_disallow_login_redirect_other_than_same_origin.patch

Reply to:

Follow-Ups:
- Bug#686323: marked as done (unblock: horizon/2012.1.1-4)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#686321: unblock: keystone/2012.1.1-5
Next by Date: Bug#686319: unblock: iceweasel/10.0.7esr-1
Previous by thread: Bug#686321: marked as done (unblock: keystone/2012.1.1-5)
Next by thread: Bug#686323: marked as done (unblock: horizon/2012.1.1-4)
Index(es):
- Date
- Thread