OpenStack Horizon Missing Validation

Hi,we opened a bug at OpenStack, 3 month ago, but nobody takes care about it. Due to the OpenStack guidlines the bug report is now public readable.https://bugs.launchpad.net/horizon/+bug/1980349I am not a security expert and do not know how bad this bug is, there is now CVE and so on. Please be kind.# Description of the bugWe use OpenStack horizon in the following version: `git+https://opendev.org/openstack/horizon@9d1bb3626bc1dbcf29a55aeb094f4350067317cd#egg=horizon`In Horizon there is the following code in Xena:openstack_auth/views.py```def websso(request):    """Logs a user in using a token from Keystone's POST."""    referer = request.META.get('HTTP_REFERER', settings.OPENSTACK_KEYSTONE_URL)    auth_url = utils.clean_up_auth_url(referer)    token = request.POST.get('token')    try:        request.user = auth.authenticate(request, auth_url=auth_url,                                         token=token)   ...```This call is usually called during SAML-Auth, but you can call it on the command line like this:``curl -v 'http://horizon-name:8080/auth/websso/' -X POST -H 'Referer: https://referer:5001/' -H 'Content-Type: application/x-www-form-urlencoded' --data-raw 'token=mytoken'``The token is not checked.So an attacker can control the content of the HTTP_REFERER and then an auth POST request will be sent to this address.I have changed the referer to a web server https://webserver/su-huhu/ and you can find inside the logfile:```access.log: <ip-address-of-horizon> - - [28/Jun/2022:08:15:06 +0200] "POST /su-huhu/v3/auth/tokens HTTP/1.1" 404 6529 "-" "openstack_auth keystoneauth1/4.5.0 python-requests/2.27.1 CPython/3.8.10"```# Impact* An attacker can hide his ip and do a brute force attack to any other ip via all public available horizon dashboards.* An attacker can setup a machine, set the referer to this machine and then send some ugly results (e.g. very long, never ending, wrong json code, ssl protocol issues) to the horizon service.* An attacker can analyze which services are available on the horizon host (if it is behind a firewall, use DNS Servers with private zones). Note that you are able to change the port number to any number. I have not tested, but perhaps it is also possible to change the protocol to another value, let's say: imap://user:passwort@ip/.# Is this only relevant for xenaThe code has changed on master branch, but the bug is still there:```# TODO(stephenfin): Migrate to CBV@sensitive_post_parameters()@csrf_exempt@never_cachedef websso(request):    """Logs a user in using a token from Keystone's POST."""    if settings.WEBSSO_USE_HTTP_REFERER:        referer = request.META.get('HTTP_REFERER',                                   settings.OPENSTACK_KEYSTONE_URL)        auth_url = utils.clean_up_auth_url(referer)    else:        auth_url = settings.OPENSTACK_KEYSTONE_URL    token = request.POST.get('token')    try:        request.user = auth.authenticate(request, auth_url=auth_url,                                         token=token)    except exceptions.KeystoneAuthException as exc:        if settings.WEBSSO_DEFAULT_REDIRECT:            res = django_http.HttpResponseRedirect(settings.LOGIN_ERROR)        else:            msg = 'Login failed: %s' % exc            res = django_http.HttpResponseRedirect(settings.LOGIN_URL)            set_logout_reason(res, msg)        return res```only changing the WEBSSO_USE_HTTP_REFERER to false (Default true) will forbid to call this.