Our console proxies (novnc, serial, spice) run in a websockify server
whose request handler inherits from the python standard
SimpleHTTPRequestHandler. There is a known issue [1] in the
SimpleHTTPRequestHandler which allows open redirects by way of URLs
in the following format:
which if visited, will redirect a user to example.com.
We can intercept a request and reject requests that pass a redirection
URL beginning with "//" by implementing the
SimpleHTTPRequestHandler.send_head() method containing the
vulnerability to reject such requests with a 400 Bad Request.
This code is copied from a patch suggested in one of the issue comments
[2].
Reviewed: https:/ /review. opendev. org/c/openstack /nova/+ /791297 /opendev. org/openstack/ nova/commit/ 781612b33282ed2 98f742c85dab58a 075c8b793e
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 781612b33282ed2 98f742c85dab58a 075c8b793e
Author: melanie witt <email address hidden>
Date: Thu May 13 05:43:42 2021 +0000
Reject open redirection in the console proxy
Our console proxies (novnc, serial, spice) run in a websockify server equestHandler. There is a known issue [1] in the equestHandler which allows open redirects by way of URLs
whose request handler inherits from the python standard
SimpleHTTPR
SimpleHTTPR
in the following format:
http:// vncproxy. my.domain. com//example. com/%2F..
which if visited, will redirect a user to example.com.
We can intercept a request and reject requests that pass a redirection equestHandler. send_head( ) method containing the
URL beginning with "//" by implementing the
SimpleHTTPR
vulnerability to reject such requests with a 400 Bad Request.
This code is copied from a patch suggested in one of the issue comments
[2].
Closes-Bug: #1927677
[1] https:/ /bugs.python. org/issue32084 /bugs.python. org/issue32084# msg306545
[2] https:/
Change-Id: Ie36401c782f023 d1d5f2623732619 105dc2cfa24