781612b332
Our console proxies (novnc, serial, spice) run in a websockify server whose request handler inherits from the python standard SimpleHTTPRequestHandler. There is a known issue [1] in the SimpleHTTPRequestHandler which allows open redirects by way of URLs in the following format: http://vncproxy.my.domain.com//example.com/%2F.. which if visited, will redirect a user to example.com. We can intercept a request and reject requests that pass a redirection URL beginning with "//" by implementing the SimpleHTTPRequestHandler.send_head() method containing the vulnerability to reject such requests with a 400 Bad Request. This code is copied from a patch suggested in one of the issue comments [2]. Closes-Bug: #1927677 [1] https://bugs.python.org/issue32084 [2] https://bugs.python.org/issue32084#msg306545 Change-Id: Ie36401c782f023d1d5f2623732619105dc2cfa24
20 lines
837 B
YAML
20 lines
837 B
YAML
---
|
|
security:
|
|
- |
|
|
A vulnerability in the console proxies (novnc, serial, spice) that allowed
|
|
open redirection has been `patched`_. The novnc, serial, and spice console
|
|
proxies are implemented as websockify servers and the request handler
|
|
inherits from the python standard SimpleHTTPRequestHandler. There is a
|
|
`known issue`_ in the SimpleHTTPRequestHandler which allows open redirects
|
|
by way of URLs in the following format::
|
|
|
|
http://vncproxy.my.domain.com//example.com/%2F..
|
|
|
|
which if visited, will redirect a user to example.com.
|
|
|
|
The novnc, serial, and spice console proxies will now reject requests that
|
|
pass a redirection URL beginning with "//" with a 400 Bad Request.
|
|
|
|
.. _patched: https://bugs.launchpad.net/nova/+bug/1927677
|
|
.. _known issue: https://bugs.python.org/issue32084
|