diff options
| author | manchandavishal <manchandavishal143@gmail.com> | 2022-09-14 22:17:58 +0530 |
|---|---|---|
| committer | manchandavishal <manchandavishal143@gmail.com> | 2022-10-29 09:58:39 +0530 |
| commit | beed6bf6f6f83df9972db5fb539d64175ce12ce9 (patch) | |
| tree | cf01d9d3782f37d5df9ad867df1195a258738cd3 | |
| parent | ee06d9e295a35ca5f187417f39cedb0706ab4ec7 (diff) | |
| download | horizon-wallaby-em.tar.gz | |
Fix success_url parameter issue for Edit Snapshotwallaby-em19.4.0
The "success_url" param is used when updating the project snapshot
[1] and it lacks sanitizing the input URL that allows an attacker to
redirect the user to another website. This patch update 'Updateview'
class to not use the "sucess_url" method.
Closes-bug: #1982676
[1] https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/project/snapshots/views.py#L109
Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b
(cherry picked from commit 79d139594290779b2f74ca894332aa7f2f7e4735)
| -rw-r--r-- | openstack_dashboard/dashboards/project/snapshots/views.py | 12 |
1 files changed, 1 insertions, 11 deletions
diff --git a/openstack_dashboard/dashboards/project/snapshots/views.py b/openstack_dashboard/dashboards/project/snapshots/views.py index be3fe4e97..a92da5162 100644 --- a/openstack_dashboard/dashboards/project/snapshots/views.py +++ b/openstack_dashboard/dashboards/project/snapshots/views.py @@ -12,7 +12,6 @@ from django.urls import reverse from django.urls import reverse_lazy -from django.utils.http import urlencode from django.utils.translation import ugettext_lazy as _ from horizon import exceptions @@ -104,11 +103,8 @@ class UpdateView(forms.ModalFormView): def get_context_data(self, **kwargs): context = super().get_context_data(**kwargs) context['snapshot'] = self.get_object() - success_url = self.request.GET.get('success_url', "") args = (self.kwargs['snapshot_id'],) - params = urlencode({"success_url": success_url}) - context['submit_url'] = "?".join([reverse(self.submit_url, args=args), - params]) + context['submit_url'] = reverse(self.submit_url, args=args) return context def get_initial(self): @@ -117,12 +113,6 @@ class UpdateView(forms.ModalFormView): 'name': snapshot.name, 'description': snapshot.description} - def get_success_url(self): - success_url = self.request.GET.get( - "success_url", - reverse_lazy("horizon:project:snapshots:index")) - return success_url - class DetailView(tabs.TabView): tab_group_class = vol_snapshot_tabs.SnapshotDetailTabs |