From 3eb67b811ae2442bd86781d9f1c4078a982cfe84 Mon Sep 17 00:00:00 2001 From: Rohit Karajgi Date: Tue, 2 Jul 2013 07:01:44 -0700 Subject: [PATCH] Enable no_parent and file_only security The websockify package was recently upgraded to version 0.5.1, which added two parameters that provide additional security: * no_parent - returns 403 response if contents out of the web root are requested. Required to disable directory traversal. * file_only - returns 404 response if non-file contents are requested. Required to disable directory listing. This version is available in PyPi. Nova should upgrade it's required version for websockify, and set these parameters while creating and starting the NovaWebSocketProxy to ensure better security. DocImpact Fixes bug #1195700 Change-Id: I9c4b28eb1b384048f10d365ed204b916afd371bb --- nova/cmd/novncproxy.py | 2 ++ requirements.txt | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/nova/cmd/novncproxy.py b/nova/cmd/novncproxy.py index c19d24981b36..cb818c387c9f 100644 --- a/nova/cmd/novncproxy.py +++ b/nova/cmd/novncproxy.py @@ -77,6 +77,8 @@ def main(): daemon=CONF.daemon, record=CONF.record, web=CONF.web, + file_only=True, + no_parent=True, target_host='ignore', target_port='ignore', wrap_mode='exit', diff --git a/requirements.txt b/requirements.txt index 54fe8ad9487b..533aa7ddee73 100644 --- a/requirements.txt +++ b/requirements.txt @@ -27,7 +27,7 @@ python-glanceclient>=0.9.0 python-keystoneclient>=0.2.0 six stevedore>=0.10 -websockify<0.4 +websockify>=0.5.1,<0.6 pyparsing>=1.5.7,<2.0 # order-dependent python-quantumclient req, bug 1191866 -f http://tarballs.openstack.org/oslo.config/oslo.config-1.2.0a3.tar.gz#egg=oslo.config-1.2.0a3