Comment 37 for bug 1409142
Revision history for this message
| Paul McMillan (paul-mcmillan) wrote Re: Websocket Hijacking Vulnerability in Nova VNC Server (CVE-2015-0259) | #37 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
This is how Django handles and docs the coordination between a TLS unwrapper and the application, if necessary:
https:/
I believe this approach and the documentation around it is correct and reasonably standard. A similar approach would probably be correct for nova.
@Dave I was aware of the "token in the GET parameter issue" raised in 1197459, and agree that part isn't usually exploitable in a proper https site (though it is pretty horrifying), but the "cookie isn't set securely" part is actually quite exploitable. I can open a separate private bug about that.
@Jeremy: Does the stable branch policy preclude us from adding new configuration values with reasonable defaults, and saying "Add these configs if you want to be secure"?
If we can't that, we could do something truly horrible like detecting if we ever see a https referer, and then permanently shifting to only accepting https referers.
@all do we agree that given a) the current patch improves things, and b) the fixes for the issues raised here are non-trivial, we should move these issues into separate tickets?