Open redirect vulnerability on oidc_provider_not_consent view

italia / spid-cie-oidc-django

The SPID/CIE OIDC Federation SDK, written in Python

Apache License 2.0

27 stars 28 forks source link

Open redirect vulnerability on oidc_provider_not_consent view #256

Closed voidz0r closed 1 year ago

voidz0r commented 1 year ago

There's an open redirect vulnerability for the oidc_provider_not_consent view of the ConsentPageView class.

The HttpResponseRedirect, as stated from the documentation, accepts a fully qualified URL and the view does not validate the input URL nor the state.

https://github.com/italia/spid-cie-oidc-django/blob/45c4241e62db78e9a8d8e50a975b49709025c16b/spid_cie_oidc/provider/views/consent_page_view.py#L108

peppelinux commented 1 year ago

confirmed!

the state SHOULD be there and the redirect_uri MUST be the one compliant to the requesting RP metadata. Would you like to propose a PR for that to resolve this issue?

anyway, thank you for this issue, it's very relevant for the project

peppelinux commented 1 year ago

Resolved in https://github.com/italia/spid-cie-oidc-django/releases/tag/v0.8.14