https://bugzilla.redhat.com/show_bug.cgi?id=866532 (freeIPA)
Description of problem: In file rpcserver.py on line 298 the check <code> if not environ['HTTP_REFERER'].startswith('https://%s/ipa' % self.api.e\ nv.host) and not self.env.in_tree: </code> does not allow for moving the freeipa UI away from port 443. If the freeipa UI is moved away from 443 this check produces the "RefererError" when in fact the referer is fine - the test is just wrong. Version-Release number of selected component (if applicable): 2.2.0 How reproducible: Easily. Steps to reproduce: 1. Install ipa-server 2. Configure the freeipa UI (configure Apache) to run on some port other than 80/443. 3. Try to login. Actual results: Referer Error is produced at login. Expected results: Successful login Fix: Reduce check to "https://%s" or modify check to use a regex that allows for port numbers by adding "(:\d+)?".
It's better to make sure the port is also preserved or a compromised low rights network service on the server could be conceivably used to trick a client. Not very likely, but worth protecting against IMO.
Metadata Update from @rcritten: - Issue assigned to someone - Issue set to the milestone: Ticket Backlog
Login to comment on this ticket.