Today we looked into what of our applications where vulnerable to the
"covert redirect" vulnerability in the news today. We found that our
OpenID provider, FedOAuth, was not generally vulnerable to the server
side aspects. But about half of our clients had some issues with
If an attacker somehow tricked another user into visiting a link like
Copr would send the user to evilsite.com after successfully
authenticating with fedoauth.
The patch for this, at first glance, is very simple:
-oid = OpenID(app, app.config["OPENID_STORE"])
+oid = OpenID(app, app.config["OPENID_STORE"], safe_roots=)
However, the "safe_roots" argument to OpenID was only introduced in
python-openid-1.2. The copr frontend is running on Fedora 19 and so
is, for the moment, stuck with python-openid-1.0.1. Upgrading is
probably the best bet, but it may cause other unforeseen issues.
As a workaround, I've attached a second patch that tells copr to just ignore
the 'next' parameter and redirect always back to the copr root url. This
second workaround patch is applied as a 'hotfix' in ansible and deployed to the
copr cloud node.