OpenStack Compute (Nova)
Go to file
melanie witt 04d48527b6 Reject open redirection in the console proxy
NOTE(melwitt): This is the combination of two commits, the bug fix and
a followup change to the unit test to enable it also run on
Python < 3.6.

Our console proxies (novnc, serial, spice) run in a websockify server
whose request handler inherits from the python standard
SimpleHTTPRequestHandler. There is a known issue [1] in the
SimpleHTTPRequestHandler which allows open redirects by way of URLs
in the following format:

which if visited, will redirect a user to

We can intercept a request and reject requests that pass a redirection
URL beginning with "//" by implementing the
SimpleHTTPRequestHandler.send_head() method containing the
vulnerability to reject such requests with a 400 Bad Request.

This code is copied from a patch suggested in one of the issue comments

Closes-Bug: #1927677



NOTE(melwitt): The conflict is because change
I23ac1cc79482d0fabb359486a4b934463854cae5 (Allow TLS ciphers/protocols
to be configurable for console proxies) is not in Train.

NOTE(melwitt): The difference from the cherry picked change:
HTTPStatus.BAD_REQUEST => 400 is due to the fact that HTTPStatus does
not exist in Python 2.7.

Reduce mocking in test_reject_open_redirect for compat

This is a followup for change Ie36401c782f023d1d5f2623732619105dc2cfa24
to reduce mocking in the unit test coverage for it.

While backporting the bug fix, it was found to be incompatible with
earlier versions of Python < 3.6 due to a difference in internal
implementation [1].

This reduces the mocking in the unit test to be more agnostic to the
internals of the StreamRequestHandler (ancestor of
SimpleHTTPRequestHandler) and work across Python versions >= 2.7.

Related-Bug: #1927677

[1] 34eeed4290

Change-Id: I546d376869a992601b443fb95acf1034da2a8f36
(cherry picked from commit 214cabe684)
(cherry picked from commit 9c2f297837)
(cherry picked from commit 94e265f3ca)
(cherry picked from commit d43b88a334)

Change-Id: Ie36401c782f023d1d5f2623732619105dc2cfa24
(cherry picked from commit 781612b332)
(cherry picked from commit 4709256142)
(cherry picked from commit 6b70350bdc)
(cherry picked from commit 719e651e6b)
2021-10-08 09:38:09 +00:00
api-guide/source Allow resizing server with port resource request 2019-09-12 10:35:22 -04:00
api-ref/source compute: Validate a BDMs disk_bus when provided 2020-09-03 15:24:37 +01:00
devstack Merge "Find instance in another cell during floating IP re-association" 2019-09-13 15:19:55 +00:00
doc Add config parameter 'live_migration_scheme' to live migration with tls guide 2021-03-24 05:38:06 +00:00
etc/nova Remove an unused file and a related description 2019-09-13 10:33:32 +09:00
gate [stable-only] gate: Pin CEPH_RELEASE to nautilus in LM hook 2021-03-11 15:38:12 +00:00
nova Reject open redirection in the console proxy 2021-10-08 09:38:09 +00:00
playbooks Merge "Convert nova-lvm job to zuul v3" 2019-09-04 20:08:05 +00:00
releasenotes Reject open redirection in the console proxy 2021-10-08 09:38:09 +00:00
roles/run-post-test-hook Convert nova-next to a zuul v3 job 2019-07-23 11:32:35 -04:00
tools Move 'check-cherry-picks' test to gate, n-v check 2021-06-18 11:27:00 +01:00
.coveragerc Remove nova/openstack/* from .coveragerc 2016-10-12 16:20:49 -04:00
.gitignore Delete the placement code 2019-04-28 20:06:15 +00:00
.gitreview Update .gitreview for stable/train 2019-09-27 09:06:47 +00:00
.mailmap Add mailmap entry 2014-05-07 12:14:26 -07:00
.stestr.conf Finish stestr migration 2017-11-24 16:51:12 -05:00
.zuul.yaml Move 'check-cherry-picks' test to gate, n-v check 2021-06-18 11:27:00 +01:00
CONTRIBUTING.rst Update links in documents 2018-01-12 17:05:11 +08:00
HACKING.rst Remove descriptions of nonexistent hacking rules 2019-08-26 14:55:51 +09:00
LICENSE initial commit 2010-05-27 23:05:26 -07:00
MAINTAINERS Fix broken URLs 2017-09-07 15:42:31 +02:00
README.rst Update api-ref location 2019-07-22 19:17:28 +02:00
babel.cfg Get rid of distutils.extra. 2012-02-08 19:30:39 -08:00
bindep.txt Added openssh-client into bindep 2019-10-29 07:02:24 +00:00
lower-constraints.txt [stable-only] Cap bandit to 1.6.2 and raise hacking, flake8 and stestr 2020-12-23 11:15:08 +00:00
requirements.txt Merge "Tune up db.instance_get_all_uuids_by_hosts" 2019-09-23 19:58:43 +00:00
setup.cfg Rename 'nova.common.config' module to 'nova.middleware' 2019-08-16 00:53:03 +01:00 Updated from global requirements 2017-03-02 11:50:48 +00:00
test-requirements.txt [stable-only] Cap bandit to 1.6.2 and raise hacking, flake8 and stestr 2020-12-23 11:15:08 +00:00
tox.ini [stable-only] Pin virtualenv and setuptools 2021-10-05 21:39:56 +00:00


Team and repository tags


OpenStack Nova

OpenStack Nova provides a cloud computing fabric controller, supporting a wide variety of compute technologies, including: libvirt (KVM, Xen, LXC and more), Hyper-V, VMware, XenServer, OpenStack Ironic and PowerVM.

Use the following resources to learn more.


To learn how to use Nova's API, consult the documentation available online at:

For more information on OpenStack APIs, SDKs and CLIs in general, refer to:


To learn how to deploy and configure OpenStack Nova, consult the documentation available online at:

In the unfortunate event that bugs are discovered, they should be reported to the appropriate bug tracker. If you obtained the software from a 3rd party operating system vendor, it is often wise to use their own bug tracker for reporting problems. In all other cases use the master OpenStack bug tracker, available at:


For information on how to contribute to Nova, please see the contents of the CONTRIBUTING.rst.

Any new code must follow the development guidelines detailed in the HACKING.rst file, and pass all unit tests.

Further developer focused documentation is available at:

Other Information

During each Summit and Project Team Gathering, we agree on what the whole community wants to focus on for the upcoming release. The plans for nova can be found at: