openstack/nova
Code Issues Proposed changes
OpenStack Compute (Nova)
58,703 Commits 10 Branches 95 Tags 1.6 GiB
Python 97.7%
Smarty 2.2%
Shell 0.1%
781612b332
Go to file
melanie witt 781612b332 Reject open redirection in the console proxy 
Our console proxies (novnc, serial, spice) run in a websockify server
whose request handler inherits from the python standard
SimpleHTTPRequestHandler. There is a known issue [1] in the
SimpleHTTPRequestHandler which allows open redirects by way of URLs
in the following format:

  http://vncproxy.my.domain.com//example.com/%2F..

which if visited, will redirect a user to example.com.

We can intercept a request and reject requests that pass a redirection
URL beginning with "//" by implementing the
SimpleHTTPRequestHandler.send_head() method containing the
vulnerability to reject such requests with a 400 Bad Request.

This code is copied from a patch suggested in one of the issue comments
[2].

Closes-Bug: #1927677

[1] https://bugs.python.org/issue32084
[2] https://bugs.python.org/issue32084#msg306545

Change-Id: Ie36401c782f023d1d5f2623732619105dc2cfa24
2021-05-14 17:26:00 +02:00
api-guide/source Trival change: spell error of Shelve 2021-04-07 02:10:19 +00:00
api-ref/source trivial: fix word duplication in api ref 2021-03-22 09:22:39 +01:00
devstack Switch to new rolevar for run-tempest role 2021-04-09 16:06:10 +00:00
doc Merge "Remove references to 'sys.version_info'" 2021-05-03 14:21:56 +00:00
etc/nova Allow versioned discovery unauthenticated 2020-04-03 21:24:28 +00:00
gate zuul: Replace grenade and nova-grenade-multinode with grenade-multinode 2021-04-29 11:05:58 +01:00
nova Reject open redirection in the console proxy 2021-05-14 17:26:00 +02:00
playbooks zuul: Replace grenade and nova-grenade-multinode with grenade-multinode 2021-04-29 11:05:58 +01:00
releasenotes Reject open redirection in the console proxy 2021-05-14 17:26:00 +02:00
roles [OVN] Adapt the live-migration job scripts to work with OVN 2021-03-15 09:41:03 +00:00
tools Add generate schemas tool 2021-01-18 16:27:00 +00:00
.coveragerc Remove nova/openstack/* from .coveragerc 2016-10-12 16:20:49 -04:00
.gitignore tox: Integrate mypy 2020-05-15 15:59:53 +01:00
.gitreview OpenDev Migration Patch 2019-04-19 19:45:52 +00:00
.mailmap Add mailmap entry 2014-05-07 12:14:26 -07:00
.pre-commit-config.yaml Switch to hacking 2.x 2020-01-17 11:30:40 +00:00
.stestr.conf Finish stestr migration 2017-11-24 16:51:12 -05:00
.zuul.yaml zuul: Remove nova-dsvm-multinode-base 2021-04-29 11:05:58 +01:00
bindep.txt bindep: Install python3 and python3-devel on CentOS 8 and Fedora 2020-10-03 13:20:21 +01:00
CONTRIBUTING.rst [Community goal] Update contributor documentation 2020-03-25 12:01:37 +00:00
HACKING.rst Add a hacking rule for assert_has_calls 2020-09-28 23:08:15 +09:00
LICENSE initial commit 2010-05-27 23:05:26 -07:00
lower-constraints.txt Merge "libvirt: Delegate OVS plug to os-vif" 2021-05-01 04:06:48 +00:00
MAINTAINERS Fix broken URLs 2017-09-07 15:42:31 +02:00
mypy-files.txt Merge "Enable mypy on scheduler/report.py" 2021-04-21 17:23:33 +00:00
README.rst docs: Remove references to XenAPI driver 2020-08-31 15:53:31 +01:00
requirements.txt libvirt: Delegate OVS plug to os-vif 2021-04-30 12:51:35 +01:00
setup.cfg setup.cfg: Resolve warning 2021-03-09 12:49:50 +00:00
setup.py Updated from global requirements 2017-03-02 11:50:48 +00:00
test-requirements.txt vmware: Use oslo.vmware's get_moref_value() 2021-04-19 11:35:54 +02:00
tox.ini tox: Add passenv DISABLE_CHERRY_PICK_CHECK to pep8 2021-02-17 11:23:49 +00:00

README.rst

OpenStack Nova

image

OpenStack Nova provides a cloud computing fabric controller, supporting a wide variety of compute technologies, including: libvirt (KVM, Xen, LXC and more), Hyper-V, VMware, OpenStack Ironic and PowerVM.

Use the following resources to learn more.

API

To learn how to use Nova's API, consult the documentation available online at:

For more information on OpenStack APIs, SDKs and CLIs in general, refer to:

Operators

To learn how to deploy and configure OpenStack Nova, consult the documentation available online at:

In the unfortunate event that bugs are discovered, they should be reported to the appropriate bug tracker. If you obtained the software from a 3rd party operating system vendor, it is often wise to use their own bug tracker for reporting problems. In all other cases use the master OpenStack bug tracker, available at:

Developers

For information on how to contribute to Nova, please see the contents of the CONTRIBUTING.rst.

Any new code must follow the development guidelines detailed in the HACKING.rst file, and pass all unit tests.

Further developer focused documentation is available at:

Other Information

During each Summit and Project Team Gathering, we agree on what the whole community wants to focus on for the upcoming release. The plans for nova can be found at: