Version in base suite: 23.0.0-5 Base version: horizon_23.0.0-5 Target version: horizon_23.0.0-5+deb12u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/h/horizon/horizon_23.0.0-5.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/h/horizon/horizon_23.0.0-5+deb12u1.dsc changelog | 8 + patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch | 51 ++++++++++ patches/series | 1 3 files changed, 60 insertions(+) diff -Nru horizon-23.0.0/debian/changelog horizon-23.0.0/debian/changelog --- horizon-23.0.0/debian/changelog 2022-12-31 12:56:48.000000000 +0000 +++ horizon-23.0.0/debian/changelog 2023-09-05 09:31:00.000000000 +0000 @@ -1,3 +1,11 @@ +horizon (3:23.0.0-5+deb12u1) bookworm; urgency=medium + + * CVE-2022-45582: Open redirect/phishing attack via "success_url" parameter, + add upstream patch: "Fix success_url parameter issue for Edit Snapshot" + (Closes: #1050518). + + -- Thomas Goirand Tue, 05 Sep 2023 11:31:00 +0200 + horizon (3:23.0.0-5) unstable; urgency=medium * Ignore openstack_dashboard/dashboards/project/backups/tests.py, see diff -Nru horizon-23.0.0/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch horizon-23.0.0/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch --- horizon-23.0.0/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch 1970-01-01 00:00:00.000000000 +0000 +++ horizon-23.0.0/debian/patches/CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch 2023-09-05 09:31:00.000000000 +0000 @@ -0,0 +1,51 @@ +Author: manchandavishal +Date: Wed, 14 Sep 2022 22:17:58 +0530 +Description: CVE-2022-45582 Fix success_url parameter issue for Edit Snapshot + The "success_url" param is used when updating the project snapshot + [1] and it lacks sanitizing the input URL that allows an attacker to + redirect the user to another website. This patch update 'Updateview' + class to not use the "sucess_url" method. +Bug: https://launchpad.net/bugs/1982676 +Bug-Debian: https://bugs.debian.org/1050518 +Origin: upstream, https://review.opendev.org/c/openstack/horizon/+/862899 +Change-Id: Ied142440965b1a722e7a4dd1be3b1be3b3e1644b +Last-Update: 2023-09-05 + +diff --git a/openstack_dashboard/dashboards/project/snapshots/views.py b/openstack_dashboard/dashboards/project/snapshots/views.py +index 7efc4a8..faf7279 100644 +--- a/openstack_dashboard/dashboards/project/snapshots/views.py ++++ b/openstack_dashboard/dashboards/project/snapshots/views.py +@@ -12,7 +12,6 @@ + + from django.urls import reverse + from django.urls import reverse_lazy +-from django.utils.http import urlencode + from django.utils.translation import gettext_lazy as _ + + from horizon import exceptions +@@ -104,11 +103,8 @@ + def get_context_data(self, **kwargs): + context = super().get_context_data(**kwargs) + context['snapshot'] = self.get_object() +- success_url = self.request.GET.get('success_url', "") + args = (self.kwargs['snapshot_id'],) +- params = urlencode({"success_url": success_url}) +- context['submit_url'] = "?".join([reverse(self.submit_url, args=args), +- params]) ++ context['submit_url'] = reverse(self.submit_url, args=args) + return context + + def get_initial(self): +@@ -117,12 +113,6 @@ + 'name': snapshot.name, + 'description': snapshot.description} + +- def get_success_url(self): +- success_url = self.request.GET.get( +- "success_url", +- reverse_lazy("horizon:project:snapshots:index")) +- return success_url +- + + class DetailView(tabs.TabView): + tab_group_class = vol_snapshot_tabs.SnapshotDetailTabs diff -Nru horizon-23.0.0/debian/patches/series horizon-23.0.0/debian/patches/series --- horizon-23.0.0/debian/patches/series 2022-12-31 12:56:48.000000000 +0000 +++ horizon-23.0.0/debian/patches/series 2023-09-05 09:31:00.000000000 +0000 @@ -6,3 +6,4 @@ django-4.x-csrf-reasons.patch Make-site_branding-tag-work-with-Django-4.0.patch remove-test_rbac_panels.patch +CVE-2022-45582_Fix_success_url_parameter_issue_for_Edit_Snapshot.patch