Merge pull request #29771 from openedx/private_to_public_bf46daa

Mergeback PR from private to public.
2022-01-17 05:31:01 -05:00
parent 68dd185a0a bf46daa494
commit ba2a6df4ec
2 changed files with 21 additions and 1 deletions
--- a/openedx/core/djangoapps/user_authn/views/logout.py
+++ b/openedx/core/djangoapps/user_authn/views/logout.py
@@ -5,6 +5,7 @@ import re
 import urllib.parse as parse  # pylint: disable=import-error
 from urllib.parse import parse_qs, urlsplit, urlunsplit  # pylint: disable=import-error

+import bleach
 from django.conf import settings
 from django.contrib.auth import logout
 from django.utils.http import urlencode
@@ -58,7 +59,7 @@ class LogoutView(TemplateView):
        #  >> /courses/course-v1:ARTS+D1+2018_T/course/
        #  to handle this scenario we need to encode our URL using quote_plus and then unquote it again.
        if target_url:
-            target_url = parse.unquote(parse.quote_plus(target_url))
+            target_url = bleach.clean(parse.unquote(parse.quote_plus(target_url)))

        use_target_url = target_url and is_safe_login_or_logout_redirect(
            redirect_to=target_url,
--- a/openedx/core/djangoapps/user_authn/views/tests/test_logout.py
+++ b/openedx/core/djangoapps/user_authn/views/tests/test_logout.py
@@ -7,6 +7,7 @@ import unittest
 import urllib
 from unittest import mock
 import ddt
+import bleach
 from django.conf import settings
 from django.test import TestCase
 from django.test.utils import override_settings
@@ -193,3 +194,21 @@ class LogoutTests(TestCase):
                'show_tpa_logout_link': True,
            }
            self.assertDictContainsSubset(expected, response.context_data)
+
+    @ddt.data(
+        ('%22%3E%3Cscript%3Ealert(%27xss%27)%3C/script%3E', 'edx.org'),
+    )
+    @ddt.unpack
+    def test_logout_redirect_failure_with_xss_vulnerability(self, redirect_url, host):
+        """
+        Verify that it will block the XSS attack on edX’s LMS logout page
+        """
+        url = '{logout_path}?redirect_url={redirect_url}'.format(
+            logout_path=reverse('logout'),
+            redirect_url=redirect_url
+        )
+        response = self.client.get(url, HTTP_HOST=host)
+        expected = {
+            'target': bleach.clean(urllib.parse.unquote(redirect_url)),
+        }
+        self.assertDictContainsSubset(expected, response.context_data)