Get OpenID XRDS url host from request

Replaced the previous method of getting it from HTTP_POST to use django's mechanism, which may or may not use HTTP_HOST. However if an attacker changes the request header, there is not much he can do since he cannot recreate the association nonce.

Get OpenID XRDS url host from request
Replaced the previous method of getting it from HTTP_POST to use django's mechanism, which may or may not use HTTP_HOST. However if an attacker changes the request header, there is not much he can do since he cannot recreate the association nonce.
b70de70b · Carlos Andrés Rocha · 85495c95 · b70de70b
Commit b70de70b authored Oct 03, 2012 by Carlos Andrés Rocha
Hide whitespace changes
Inline Side-by-side

Showing with 1 additions and 4 deletions

common/djangoapps/external_auth/views.py
+1 -4

No files found.
--- a/common/djangoapps/external_auth/views.py
+++ b/common/djangoapps/external_auth/views.py
@@ -271,10 +271,7 @@ def get_xrds_url(resource, request):
    """
    Return the XRDS url for a resource
    """
-    host = request.META['HTTP_HOST']
-
-    if not host.endswith('edx.org'):
-        return None
+    host = request.get_host()

    location = host + '/openid/provider/' + resource + '/'