Commit 5d94b66
fix!: Merge commit from fork
cherry-pick from openedx#38274
The view_survey endpoint accepted a redirect_url GET parameter and passed
it directly to HttpResponseRedirect() with no validation. If a non-existent
survey name was requested, this produced an immediate 302 to an
attacker-controlled URL. If a valid survey was requested, the same URL was
embedded in a hidden _redirect_url form field; after submission, submit_answers
echoed it back in JSON and client-side JS used it as location.href — a second
unvalidated redirect path.
Fix both by ignoring user-supplied redirect URLs entirely:
- view_survey no longer reads redirect_url from GET params
- submit_answers always redirects to reverse('dashboard') rather than
reading _redirect_url from the POST body
Note: view_student_survey retains its redirect_url parameter because it is
also called from the courseware view (courseware/views/views.py), which passes
a server-controlled course_home_url. That call path is unaffected.
Fixes: GHSA-2843-x998-f8r2
BREAKING CHANGE: The redirect_url GET parameter on /survey/<name>/ is no longer
honored. Requests that previously redirected to a caller-specified URL after
survey completion will now always redirect to the dashboard.1 parent dff77a6 commit 5d94b66
1 file changed
Lines changed: 2 additions & 6 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
26 | 26 | | |
27 | 27 | | |
28 | 28 | | |
29 | | - | |
30 | | - | |
31 | | - | |
| 29 | + | |
32 | 30 | | |
33 | 31 | | |
34 | 32 | | |
| |||
88 | 86 | | |
89 | 87 | | |
90 | 88 | | |
91 | | - | |
92 | | - | |
93 | | - | |
| 89 | + | |
94 | 90 | | |
95 | 91 | | |
96 | 92 | | |
| |||
0 commit comments