🐛 Do not follow redirect responses in logout calls

Block following redirect responses from programmatically calling the logout operation, for two reasons: * they may be incomplete endpoints, e.g. the Redirect URI but without state parameter or token or anything, which would fail anyway. These can cause HTTP 500 errors in downstream projects (as seen in Open Forms). * they can lead to SSRF issues if we don't validate the redirect target URL - a malicious/bad OpenID Provider could be a part of a larger chain of exploits
maykinmedia · Jun 17, 2024 · de6aa48 · de6aa48
1 parent a275b08
commit de6aa48
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/mozilla_django_oidc_db/utils.py b/mozilla_django_oidc_db/utils.py
@@ -75,7 +75,11 @@ def do_op_logout(config: OpenIDConnectConfigBase, id_token: str) -> None:
     if not logout_endpoint:
         return
 
-    response = requests.post(logout_endpoint, data={"id_token_hint": id_token})
+    response = requests.post(
+        logout_endpoint,
+        data={"id_token_hint": id_token},
+        allow_redirects=False,
+    )
     if not response.ok:
         logger.warning(
             "Failed to log out the user at the OpenID Provider. Status code: %s",