commit 8906552cfc2525a44251d4cf313ece61e57251eb
Author: Sean Mooney <email address hidden>
Date: Mon Aug 23 15:37:48 2021 +0100
address open redirect with 3 forward slashes
Ie36401c782f023d1d5f2623732619105dc2cfa24 was intended
to address OSSA-2021-002 (CVE-2021-3654) however after its
release it was discovered that the fix only worked
for urls with 2 leading slashes or more then 4.
This change adresses the missing edgecase for 3 leading slashes
and also maintian support for rejecting 2+.
NOTE(melwitt): The conflict and difference in websocketproxy.py from
the cherry picked change: HTTPStatus.BAD_REQUEST => 400 is due to the
fact that HTTPStatus does not exist in Python 2.7. The conflict in
test_websocketproxy.py is because change
I23ac1cc79482d0fabb359486a4b934463854cae5 (Allow TLS ciphers/protocols
to be configurable for console proxies) is not in Train. The difference
in test_websocketproxy.py from the cherry picked change is due to a
difference in internal implementation [1] in Python < 3.6. See change
I546d376869a992601b443fb95acf1034da2a8f36 for reference.
Reviewed: https:/ /review. opendev. org/c/openstack /nova/+ /806629 /opendev. org/openstack/ nova/commit/ 8906552cfc2525a 44251d4cf313ece 61e57251eb
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/train
commit 8906552cfc2525a 44251d4cf313ece 61e57251eb
Author: Sean Mooney <email address hidden>
Date: Mon Aug 23 15:37:48 2021 +0100
address open redirect with 3 forward slashes
Ie36401c782 f023d1d5f262373 2619105dc2cfa24 was intended
to address OSSA-2021-002 (CVE-2021-3654) however after its
release it was discovered that the fix only worked
for urls with 2 leading slashes or more then 4.
This change adresses the missing edgecase for 3 leading slashes
and also maintian support for rejecting 2+.
Conflicts: console/ websocketproxy. py tests/unit/ console/ test_websocketp roxy.py
nova/
nova/
NOTE(melwitt): The conflict and difference in websocketproxy.py from BAD_REQUEST => 400 is due to the websocketproxy. py is because change 82d0fabb359486a 4b934463854cae5 (Allow TLS ciphers/protocols roxy.py from the cherry picked change is due to a a992601b443fb95 acf1034da2a8f36 for reference.
the cherry picked change: HTTPStatus.
fact that HTTPStatus does not exist in Python 2.7. The conflict in
test_
I23ac1cc794
to be configurable for console proxies) is not in Train. The difference
in test_websocketp
difference in internal implementation [1] in Python < 3.6. See change
I546d376869
[1] https:/ /github. com/python/ cpython/ commit/ 34eeed42901666f ce099947f93dfdf c05411f286
Change-Id: I95f68be76330ff 09e5eabb5ef8dd9 a18f5547866 323f3be179b1a9d 1c17a4acc5) e9d34e516e1525e cf00be127c) 53d60303f2d10c5 d62a070a07) 6b594363b5b253b d0ae6ed9eb)
co-authored-by: Matteo Pozza
Closes-Bug: #1927677
(cherry picked from commit 6fbd0b758dcac71
(cherry picked from commit 47dad4836a26292
(cherry picked from commit 9588cdbfd4649ea
(cherry picked from commit 0997043f459ac61