Comment 5 for bug 1927677
Revision history for this message
| melanie witt (melwitt) wrote Re: novnc allowing open direction which could potentially be used for phishing | #5 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
OK, I really went down the rabbit hole with this one.
The tl;dr is that this is a known issue in the python standard library [1], in the http.server.
I found that we _can_ intercept this in our code and prevent an open redirect. It could be considered hacky, but I'm attaching a patch that prevents the redirect. It is code copied from a comment on the python issue [2].
The concern about the sample code in the issue is that such code might reject legitimate requests in certain cases. I don't believe we have such a concern with the nova console proxy.
Let me know what you think.
[1] https:/
[2] https:/