Canonical SSO provider

Merge lp:~canonical-isd-hackers/canonical-identity-provider/logout-returnto-referer-matching-fix into lp:canonical-identity-provider/release

logout-returnto-referer-matching-fix
Merge into trunk

Proposed by Stuart Metcalfe on 2010-11-16

Status:

Merged

Approved by:

David Owen on 2010-11-16

Approved revision:

no longer in the source branch.

Merged at revision:

118

Proposed branch:

lp:~canonical-isd-hackers/canonical-identity-provider/logout-returnto-referer-matching-fix

Merge into:

lp:canonical-identity-provider/release

Diff against target:

72 lines (+36/-10)

2 files modified

identityprovider/tests/test_views_ui_logout.py (+30/-2)
identityprovider/views/ui.py (+6/-8)

To merge this branch:

bzr merge lp:~canonical-isd-hackers/canonical-identity-provider/logout-returnto-referer-matching-fix

Medium

Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
David Owen (community)		2010-11-16	Approve on 2010-11-16
Review via email: mp+40991@code.launchpad.net

Commit message

Fixed issue where logout return_to argument was looking for matches to the http referer

Description of the change

This branch fixes an issue where the HTTP Referer had to exactly match the trust root in order to accept the return URL. It now matches any URL beneath the trust root.

Revision history for this message

David Owen (dsowen) on 2010-11-16:

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Adrian John San migel

Alexsandr

Canonical ISD hackers

Corey Russell SR

Damian

Danny Tamez

Diane Montana

Frederico Miranda

Magdalena Shneider

Maximiliano Bertacchini

Rick McMeen

William Grant

abdulhameed omair

alhawiti

fralogos32

marek duda

martin

to status/vote changes:

Harpianto,ANDI

rocket_69

 === modified file 'identityprovider/tests/test_views_ui_logout.py'
 --- identityprovider/tests/test_views_ui_logout.py	2010-11-16 14:11:00 +0000
 +++ identityprovider/tests/test_views_ui_logout.py	2010-11-16 19:38:57 +0000
@@ -98,11 +98,39 @@
          return_to = self.view.get_return_to_url(trust_root, None)
          self.assertEquals(return_to, trust_root)
++    def test_get_return_to_url_when_referer_matches_known_url(self):
++        trust_root = 'http://example.com/test/'
++        self.create_openid_rp_config(trust_root)
++        return_to = self.view.get_return_to_url(trust_root, trust_root)
++        self.assertEqual(return_to, trust_root)
++
++    def test_get_return_to_url_when_referer_extends_known_url(self):
++        trust_root = 'http://example.com/test/'
++        referer = trust_root + 'again/'
++        self.create_openid_rp_config(trust_root)
++        return_to = self.view.get_return_to_url(trust_root, referer)
++        self.assertEqual(return_to, trust_root)
++
++    def test_get_return_to_url_when_referer_extends_known_url_with_different_trust_root(self):
++        trust_root = 'http://example.com/test/'
++        requested_url = trust_root + 'me/'
++        referer = trust_root + 'again/'
++        self.create_openid_rp_config(trust_root)
++        return_to = self.view.get_return_to_url(requested_url, referer)
++        self.assertEqual(return_to, requested_url)
++
++    def test_get_return_to_url_when_referer_diminishes_known_url(self):
++        referer = 'http://example.com/'
++        trust_root = referer + 'test/'
++        self.create_openid_rp_config(trust_root)
++        return_to = self.view.get_return_to_url(trust_root, referer)
++        self.assertTrue(return_to is None)
++
      def test_get_return_to_url_when_referer_mismatches_known_url(self):
          trust_root = 'http://example.com/r'
++        referer = 'http://r.example.com'
          self.create_openid_rp_config(trust_root)
--        return_to = self.view.get_return_to_url(trust_root,
--                                                'http://r.example.com')
++        return_to = self.view.get_return_to_url(trust_root, referer)
          self.assertTrue(return_to is None)
      def test_get_return_to_url_when_url_is_unknown(self):
 === modified file 'identityprovider/views/ui.py'
 --- identityprovider/views/ui.py	2010-11-16 14:11:00 +0000
 +++ identityprovider/views/ui.py	2010-11-16 19:38:57 +0000
@@ -109,16 +109,14 @@
          if language:
              response.set_cookie(settings.LANGUAGE_COOKIE_NAME, language)
--    def get_return_to_url(self, return_to, http_referer):
++    def get_return_to_url(self, return_to, referer):
          rpconfig = OpenIDRPConfig.objects.for_url(return_to)
--        if not return_to:
--            return None
--        elif rpconfig is None:
--            return None
--        elif http_referer is not None and http_referer != return_to:
--            return None
--        else:
++        if not return_to or rpconfig is None:
++            return None
++        elif referer is None or referer.startswith(rpconfig.trust_root):
              return return_to
++        else:
++            return None
      def set_orequest(self, session, token, raw_orequest):
          if token is not None and raw_orequest is not None: