Fixing OpenID Covert Redirect in Flask-OpenID

Earlier today, I wrote a blog post explaining the recently announced OpenID Covert Redirect security vulnerability, going into details on how this vulnerability works and how it can be prevented.

If you want to see this post, please go here.

I thought I'd write a small blogpost on how to mitigate this attack if you are using Flask-OpenID, as I have made this very easy for you.

Since version 1.2 of Flask-OpenID, it contains a security feature that I called "safe_roots", this means that it will only give a next_url if the URL is either in your application root or in one of the URL roots you have marked as secure via safe_roots.

The only unforunate thing about this system, is that I have disabled it by default to not break non-suspecting apps.
I am currently reconsidering this, and might decide that from version 1.3 on, this is enabled by default.

Enabling the safe_roots feature

To enable this security feature in your app, you just need to make one very small adjustment.
Look for the line where you initialize it, which basically looks like: oid = OpenID(app, ...) (the variable names and current arguments might vary).
To enable the safe_roots feature, just add the argument safe_roots=[] to this, so that it becomes: oid = OpenID(app, safe_roots[], ...).

After you did this, you have just mitigated the OpenID Covert Redirect vulnerability, congratulations!

If you need to be able to redirect to external websites after the OpenID authentication by means of the ?next= argument, you should add that website to the safe_roots.
So for example if you want to be able to redirect users to after the authentication finishes, just add it to the list of safe roots, like this: safe_roots=[''].

Security vulnerability reporting experience

Fixing OpenID Covert Redirect in the Fedora Infrastructure