Comment 28 for bug 1927677

Reviewed: https://review.opendev.org/c/openstack/nova/+/791805
Committed: https://opendev.org/openstack/nova/commit/6b70350bdcf59a9712f88b6435ba2c6500133e5b
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 6b70350bdcf59a9712f88b6435ba2c6500133e5b
Author: melanie witt <email address hidden>
Date: Thu May 13 05:43:42 2021 +0000

    Reject open redirection in the console proxy

    Our console proxies (novnc, serial, spice) run in a websockify server
    whose request handler inherits from the python standard
    SimpleHTTPRequestHandler. There is a known issue [1] in the
    SimpleHTTPRequestHandler which allows open redirects by way of URLs
    in the following format:

      http://vncproxy.my.domain.com//example.com/%2F..

    which if visited, will redirect a user to example.com.

    We can intercept a request and reject requests that pass a redirection
    URL beginning with "//" by implementing the
    SimpleHTTPRequestHandler.send_head() method containing the
    vulnerability to reject such requests with a 400 Bad Request.

    This code is copied from a patch suggested in one of the issue comments
    [2].

    Closes-Bug: #1927677

    [1] https://bugs.python.org/issue32084
    [2] https://bugs.python.org/issue32084#msg306545

    Conflicts:
        nova/console/websocketproxy.py
        nova/tests/unit/console/test_websocketproxy.py

    NOTE(melwitt): The conflicts are because the following changes are not
    in Victoria:

      Ib2c406327fef2fb4868d8050fc476a7d17706e23 (Remove six.moves)
      I58b0382c86d4ef798572edb63d311e0e3e6937bb (Refactor and rename
        test_tcp_rst_no_compute_rpcapi)

    Change-Id: Ie36401c782f023d1d5f2623732619105dc2cfa24
    (cherry picked from commit 781612b33282ed298f742c85dab58a075c8b793e)
    (cherry picked from commit 470925614223c8dd9b1233f54f5a96c02b2d4f70)