Merge lp:~canonical-isd-hackers/canonical-identity-provider/logout-returnto-referer-matching-fix into lp:canonical-identity-provider/release

Proposed by Stuart Metcalfe
Status: Merged
Approved by: David Owen
Approved revision: no longer in the source branch.
Merged at revision: 118
Proposed branch: lp:~canonical-isd-hackers/canonical-identity-provider/logout-returnto-referer-matching-fix
Merge into: lp:canonical-identity-provider/release
Diff against target: 72 lines (+36/-10)
2 files modified
identityprovider/tests/test_views_ui_logout.py (+30/-2)
identityprovider/views/ui.py (+6/-8)
To merge this branch: bzr merge lp:~canonical-isd-hackers/canonical-identity-provider/logout-returnto-referer-matching-fix
Reviewer Review Type Date Requested Status
David Owen (community) Approve
Review via email: mp+40991@code.launchpad.net

Commit message

Fixed issue where logout return_to argument was looking for matches to the http referer

Description of the change

This branch fixes an issue where the HTTP Referer had to exactly match the trust root in order to accept the return URL. It now matches any URL beneath the trust root.

To post a comment you must log in.
Revision history for this message
David Owen (dsowen) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'identityprovider/tests/test_views_ui_logout.py'
2--- identityprovider/tests/test_views_ui_logout.py 2010-11-16 14:11:00 +0000
3+++ identityprovider/tests/test_views_ui_logout.py 2010-11-16 19:38:57 +0000
4@@ -98,11 +98,39 @@
5 return_to = self.view.get_return_to_url(trust_root, None)
6 self.assertEquals(return_to, trust_root)
7
8+ def test_get_return_to_url_when_referer_matches_known_url(self):
9+ trust_root = 'http://example.com/test/'
10+ self.create_openid_rp_config(trust_root)
11+ return_to = self.view.get_return_to_url(trust_root, trust_root)
12+ self.assertEqual(return_to, trust_root)
13+
14+ def test_get_return_to_url_when_referer_extends_known_url(self):
15+ trust_root = 'http://example.com/test/'
16+ referer = trust_root + 'again/'
17+ self.create_openid_rp_config(trust_root)
18+ return_to = self.view.get_return_to_url(trust_root, referer)
19+ self.assertEqual(return_to, trust_root)
20+
21+ def test_get_return_to_url_when_referer_extends_known_url_with_different_trust_root(self):
22+ trust_root = 'http://example.com/test/'
23+ requested_url = trust_root + 'me/'
24+ referer = trust_root + 'again/'
25+ self.create_openid_rp_config(trust_root)
26+ return_to = self.view.get_return_to_url(requested_url, referer)
27+ self.assertEqual(return_to, requested_url)
28+
29+ def test_get_return_to_url_when_referer_diminishes_known_url(self):
30+ referer = 'http://example.com/'
31+ trust_root = referer + 'test/'
32+ self.create_openid_rp_config(trust_root)
33+ return_to = self.view.get_return_to_url(trust_root, referer)
34+ self.assertTrue(return_to is None)
35+
36 def test_get_return_to_url_when_referer_mismatches_known_url(self):
37 trust_root = 'http://example.com/r'
38+ referer = 'http://r.example.com'
39 self.create_openid_rp_config(trust_root)
40- return_to = self.view.get_return_to_url(trust_root,
41- 'http://r.example.com')
42+ return_to = self.view.get_return_to_url(trust_root, referer)
43 self.assertTrue(return_to is None)
44
45 def test_get_return_to_url_when_url_is_unknown(self):
46
47=== modified file 'identityprovider/views/ui.py'
48--- identityprovider/views/ui.py 2010-11-16 14:11:00 +0000
49+++ identityprovider/views/ui.py 2010-11-16 19:38:57 +0000
50@@ -109,16 +109,14 @@
51 if language:
52 response.set_cookie(settings.LANGUAGE_COOKIE_NAME, language)
53
54- def get_return_to_url(self, return_to, http_referer):
55+ def get_return_to_url(self, return_to, referer):
56 rpconfig = OpenIDRPConfig.objects.for_url(return_to)
57- if not return_to:
58- return None
59- elif rpconfig is None:
60- return None
61- elif http_referer is not None and http_referer != return_to:
62- return None
63- else:
64+ if not return_to or rpconfig is None:
65+ return None
66+ elif referer is None or referer.startswith(rpconfig.trust_root):
67 return return_to
68+ else:
69+ return None
70
71 def set_orequest(self, session, token, raw_orequest):
72 if token is not None and raw_orequest is not None: