OK, I really went down the rabbit hole with this one.
The tl;dr is that this is a known issue in the python standard library [1], in the http.server.SimpleHTTPRequestHandler, which WebSockifyRequestHandler derives from and which we ultimately derive from with our NovaProxyRequestHandler.
I found that we _can_ intercept this in our code and prevent an open redirect. It could be considered hacky, but I'm attaching a patch that prevents the redirect. It is code copied from a comment on the python issue [2].
The concern about the sample code in the issue is that such code might reject legitimate requests in certain cases. I don't believe we have such a concern with the nova console proxy.
OK, I really went down the rabbit hole with this one.
The tl;dr is that this is a known issue in the python standard library [1], in the http.server. SimpleHTTPReque stHandler, which WebSockifyReque stHandler derives from and which we ultimately derive from with our NovaProxyReques tHandler.
I found that we _can_ intercept this in our code and prevent an open redirect. It could be considered hacky, but I'm attaching a patch that prevents the redirect. It is code copied from a comment on the python issue [2].
The concern about the sample code in the issue is that such code might reject legitimate requests in certain cases. I don't believe we have such a concern with the nova console proxy.
Let me know what you think.
[1] https:/ /bugs.python. org/issue32084 /bugs.python. org/issue32084# msg306545
[2] https:/