Reviewed: https://review.openstack.org/180343 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b48c820e3015a0d6264df6a0a87bf1a3dbea61c4 Submitter: Jenkins Branch: master commit b48c820e3015a0d6264df6a0a87bf1a3dbea61c4 Author: Lin Hua Cheng <os.lcheng at gmail.com> Date: Tue May 5 22:33:24 2015 +0000 Revert "Loosen validation on matching trusted dashboard" Loosening the validation introduce a security hole for unvalidated redirect. For example: redirect_url=http://dashboard/sso?next=http://hacksite This reverts commit fb6920e5fe1fef2fa32afe602d2bf93f18d48a3f. Change-Id: I7e85b2b879f4c66c3664e8610d3ddbb999a5ac75 Closes-Bug: #1440958 -- You received this bug notification because you are a member of OpenStack Security, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1440958 Title: loosen validation on matching trusted dashboard Status in OpenStack Identity (Keystone): Fix Committed Bug description: In the current implementation for verifying where the SSO request came from, the host is grabbed from the 'origin' query parameter, and compared to the list of 'trusted_dashboards' in the config file. origin = context['query_string'].get('origin') host = urllib.parse.unquote_plus(origin) if host in CONF.federation.trusted_dashboard: ... https://github.com/openstack/keystone/blob/master/keystone/contrib/federation/controllers.py#L278-L287 This works, but unless the entry is marked perfectly in the config file, it won't match. We should loosen the validation that is performed, and maybe even use the HTTP Referer instead (and no longer require the 'origin' parameter from horizon). We should be able to decompose the Refer to figure out the scheme + hostname + path, and use that hostname to check against the trusted dashboards. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1440958/+subscriptions