From b817e47f8cb13ee0537103071139bee00a739a4a Mon Sep 17 00:00:00 2001
From: Thomas Goirand <thomas@goirand.fr>
Date: Tue, 28 Aug 2012 03:15:06 +0000
Subject: [PATCH] CVE-2012-3540: added patch: Disallow login redirects to
 anywhere other than the same origin (Closes: #686050)

Rewritten-From: 4a7ac06cd28ad3d9f92e2d987d0a1846a4de0743
---
 trusty/debian/changelog                       |  7 +++++
 ...ogin_redirect_other_than_same_origin.patch | 31 +++++++++++++++++++
 trusty/debian/patches/series                  |  1 +
 3 files changed, 39 insertions(+)
 create mode 100644 trusty/debian/patches/CVE-2012-3540_disallow_login_redirect_other_than_same_origin.patch
 create mode 100644 trusty/debian/patches/series

diff --git a/trusty/debian/changelog b/trusty/debian/changelog
index 2a90c43..2451460 100644
--- a/trusty/debian/changelog
+++ b/trusty/debian/changelog
@@ -1,3 +1,10 @@
+horizon (2012.1.1-4) unstable; urgency=high
+
+  * CVE-2012-3540: added patch: Disallow login redirects to anywhere other than
+  the same origin (Closes: #686050).
+
+ -- Thomas Goirand <zigo@debian.org>  Tue, 28 Aug 2012 03:05:44 +0000
+
 horizon (2012.1.1-3) unstable; urgency=low
 
   [ Thomas Goirand ]
diff --git a/trusty/debian/patches/CVE-2012-3540_disallow_login_redirect_other_than_same_origin.patch b/trusty/debian/patches/CVE-2012-3540_disallow_login_redirect_other_than_same_origin.patch
new file mode 100644
index 0000000..4e1f5d5
--- /dev/null
+++ b/trusty/debian/patches/CVE-2012-3540_disallow_login_redirect_other_than_same_origin.patch
@@ -0,0 +1,31 @@
+Description: Disallow login redirects to anywhere other than the same origin.
+Author: Paul McMillan <paul.mcmillan@nebula.com>
+Origin: upstream
+Bug-Debian: http://bugs.debian.org/686050
+Bug-Ubuntu: https://launchpad.net/bugs/1039077
+
+--- horizon-2012.1.1.orig/horizon/views/auth_forms.py
++++ horizon-2012.1.1/horizon/views/auth_forms.py
+@@ -28,6 +28,7 @@ from django import shortcuts
+ from django.conf import settings
+ from django.contrib import messages
+ from django.contrib.auth import REDIRECT_FIELD_NAME
++from django.utils.http import same_origin
+ from django.utils.translation import ugettext as _
+ from keystoneclient import exceptions as keystone_exceptions
+ 
+@@ -94,7 +95,13 @@ class Login(forms.SelfHandlingForm):
+         request.session['region_endpoint'] = endpoint
+         request.session['region_name'] = region_name
+ 
+-        redirect_to = request.REQUEST.get(REDIRECT_FIELD_NAME, "")
++        redirect_to = request.REQUEST.get(REDIRECT_FIELD_NAME, None)
++        # Make sure the requested redirect matches the protocol,
++        # domain, and port of this request
++        if redirect_to and not same_origin(
++                request.build_absolute_uri(redirect_to),
++                request.build_absolute_uri()):
++            redirect_to = None
+ 
+         if data.get('tenant', None):
+             try:
diff --git a/trusty/debian/patches/series b/trusty/debian/patches/series
new file mode 100644
index 0000000..3d6a997
--- /dev/null
+++ b/trusty/debian/patches/series
@@ -0,0 +1 @@
+CVE-2012-3540_disallow_login_redirect_other_than_same_origin.patch
-- 
2.45.2