Reject open redirection in the console proxy
NOTE(melwitt): This is the combination of two commits, the bug fix and a followup change to the unit test to enable it also run on Python < 3.6. Our console proxies (novnc, serial, spice) run in a websockify server whose request handler inherits from the python standard SimpleHTTPRequestHandler. There is a known issue [1] in the SimpleHTTPRequestHandler which allows open redirects by way of URLs in the following format: http://vncproxy.my.domain.com//example.com/%2F.. which if visited, will redirect a user to example.com. We can intercept a request and reject requests that pass a redirection URL beginning with "//" by implementing the SimpleHTTPRequestHandler.send_head() method containing the vulnerability to reject such requests with a 400 Bad Request. This code is copied from a patch suggested in one of the issue comments [2]. Closes-Bug: #1927677 [1] https://bugs.python.org/issue32084 [2] https://bugs.python.org/issue32084#msg306545 Conflicts: nova/tests/unit/console/test_websocketproxy.py NOTE(melwitt): The conflict is because change I23ac1cc79482d0fabb359486a4b934463854cae5 (Allow TLS ciphers/protocols to be configurable for console proxies) is not in Train. NOTE(melwitt): The difference from the cherry picked change: HTTPStatus.BAD_REQUEST => 400 is due to the fact that HTTPStatus does not exist in Python 2.7. Reduce mocking in test_reject_open_redirect for compat This is a followup for change Ie36401c782f023d1d5f2623732619105dc2cfa24 to reduce mocking in the unit test coverage for it. While backporting the bug fix, it was found to be incompatible with earlier versions of Python < 3.6 due to a difference in internal implementation [1]. This reduces the mocking in the unit test to be more agnostic to the internals of the StreamRequestHandler (ancestor of SimpleHTTPRequestHandler) and work across Python versions >= 2.7. Related-Bug: #1927677 [1]changes/07/791807/634eeed4290Change-Id: I546d376869a992601b443fb95acf1034da2a8f36 (cherry picked from commit214cabe684) (cherry picked from commit9c2f297837) (cherry picked from commit94e265f3ca) (cherry picked from commitd43b88a334) Change-Id: Ie36401c782f023d1d5f2623732619105dc2cfa24 (cherry picked from commit781612b332) (cherry picked from commit4709256142) (cherry picked from commit6b70350bdc) (cherry picked from commit719e651e6b)
parent
f1be212a86
commit
04d48527b6
@ -0,0 +1,19 @@
|
||||
---
|
||||
security:
|
||||
- |
|
||||
A vulnerability in the console proxies (novnc, serial, spice) that allowed
|
||||
open redirection has been `patched`_. The novnc, serial, and spice console
|
||||
proxies are implemented as websockify servers and the request handler
|
||||
inherits from the python standard SimpleHTTPRequestHandler. There is a
|
||||
`known issue`_ in the SimpleHTTPRequestHandler which allows open redirects
|
||||
by way of URLs in the following format::
|
||||
|
||||
http://vncproxy.my.domain.com//example.com/%2F..
|
||||
|
||||
which if visited, will redirect a user to example.com.
|
||||
|
||||
The novnc, serial, and spice console proxies will now reject requests that
|
||||
pass a redirection URL beginning with "//" with a 400 Bad Request.
|
||||
|
||||
.. _patched: https://bugs.launchpad.net/nova/+bug/1927677
|
||||
.. _known issue: https://bugs.python.org/issue32084
|
||||
Loading…
Reference in New Issue