http_proxy_to_wsgi allows bypassing firewall to call internal apis
Bug #1548280 reported by
Radomir Dopieralski
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| oslo.middleware |
Fix Released
|
Critical
|
Unassigned | ||
Bug Description
This is possible when there is no ssl-decoding proxy that overwrites the protocol header on the requests, but the http_proxy_to_wsgi is enabled (as it is by default in some projects, like Heat). The user can then set the header to a valiiue like "http://
The solution to this is to only enable this middleware when a proxy that rewrites this header is present, or, like the old middleware did, have this header specified in configuration, and disabled by deafult.
Revision history for this message
| Ben Nemec (bnemec) wrote | #1 |
| Changed in oslo.middleware: | |
| status: | New → Triaged |
| importance: | Undecided → Critical |
| status: | Triaged → Fix Released |
| information type: | Private Security → Public Security |
To post a comment you must log in.
Oof, we really should have addressed this one way or another much sooner.
Actually, it looks like we did[1] but didn't reference the bug. I think the cat is out of the bag on this one so there's no point keeping it private.
1: https:/