Today we looked into what of our applications where vulnerable to the "covert redirect" vulnerability in the news today. We found that our OpenID provider, FedOAuth, was not generally vulnerable to the server side aspects. But about half of our clients had some issues with redirection.
If an attacker somehow tricked another user into visiting a link like this: https://copr.fedoraproject.org/login/?next=http://evilsite.com Copr would send the user to evilsite.com after successfully authenticating with fedoauth.
The patch for this, at first glance, is very simple:
-oid = OpenID(app, app.config["OPENID_STORE"]) +oid = OpenID(app, app.config["OPENID_STORE"], safe_roots=[])
However, the "safe_roots" argument to OpenID was only introduced in python-openid-1.2. The copr frontend is running on Fedora 19 and so is, for the moment, stuck with python-openid-1.0.1. Upgrading is probably the best bet, but it may cause other unforeseen issues.
As a workaround, I've attached a second patch that tells copr to just ignore the 'next' parameter and redirect always back to the copr root url. This second workaround patch is applied as a 'hotfix' in ansible and deployed to the copr cloud node.
http://infrastructure.fedoraproject.org/cgit/ansible.git/commit/?id=602405b5...