Our console proxies (novnc, serial, spice) run in a websockify server
whose request handler inherits from the python standard
SimpleHTTPRequestHandler. There is a known issue [1] in the
SimpleHTTPRequestHandler which allows open redirects by way of URLs
in the following format:
which if visited, will redirect a user to example.com.
We can intercept a request and reject requests that pass a redirection
URL beginning with "//" by implementing the
SimpleHTTPRequestHandler.send_head() method containing the
vulnerability to reject such requests with a 400 Bad Request.
This code is copied from a patch suggested in one of the issue comments
[2].
Reviewed: https:/ /review. opendev. org/c/openstack /nova/+ /791805 /opendev. org/openstack/ nova/commit/ 6b70350bdcf59a9 712f88b6435ba2c 6500133e5b
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/victoria
commit 6b70350bdcf59a9 712f88b6435ba2c 6500133e5b
Author: melanie witt <email address hidden>
Date: Thu May 13 05:43:42 2021 +0000
Reject open redirection in the console proxy
Our console proxies (novnc, serial, spice) run in a websockify server equestHandler. There is a known issue [1] in the equestHandler which allows open redirects by way of URLs
whose request handler inherits from the python standard
SimpleHTTPR
SimpleHTTPR
in the following format:
http:// vncproxy. my.domain. com//example. com/%2F..
which if visited, will redirect a user to example.com.
We can intercept a request and reject requests that pass a redirection equestHandler. send_head( ) method containing the
URL beginning with "//" by implementing the
SimpleHTTPR
vulnerability to reject such requests with a 400 Bad Request.
This code is copied from a patch suggested in one of the issue comments
[2].
Closes-Bug: #1927677
[1] https:/ /bugs.python. org/issue32084 /bugs.python. org/issue32084# msg306545
[2] https:/
Conflicts:
nova/console/ websocketproxy. py
nova/tests/ unit/console/ test_websocketp roxy.py
NOTE(melwitt): The conflicts are because the following changes are not
in Victoria:
Ib2c40632 7fef2fb4868d805 0fc476a7d17706e 23 (Remove six.moves) 86d4ef798572edb 63d311e0e3e6937 bb (Refactor and rename
test_tcp_ rst_no_ compute_ rpcapi)
I58b0382c
Change-Id: Ie36401c782f023 d1d5f2623732619 105dc2cfa24 98f742c85dab58a 075c8b793e) d9b1233f54f5a96 c02b2d4f70)
(cherry picked from commit 781612b33282ed2
(cherry picked from commit 470925614223c8d