http_proxy_to_wsgi allows bypassing firewall to call internal apis
Bug #1548280 reported by
Radomir Dopieralski
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
oslo.middleware |
Fix Released
|
Critical
|
Unassigned |
Bug Description
This is possible when there is no ssl-decoding proxy that overwrites the protocol header on the requests, but the http_proxy_to_wsgi is enabled (as it is by default in some projects, like Heat). The user can then set the header to a valiiue like "http://
The solution to this is to only enable this middleware when a proxy that rewrites this header is present, or, like the old middleware did, have this header specified in configuration, and disabled by deafult.
To post a comment you must log in.
Oof, we really should have addressed this one way or another much sooner.
Actually, it looks like we did[1] but didn't reference the bug. I think the cat is out of the bag on this one so there's no point keeping it private.
1: https:/ /github. com/openstack/ oslo.middleware /commit/ f62c3a74c07238d 91efb17e9ac6437 3f08894490