Reject invalid whitespace in HM url_path value
Plain whitespace characters in url_path must be rejected because
they may allow authorized users to inject arbitrary HAProxy
directives in the configuration of amphorae.
Story: 2008994
Task: 42656
Change-Id: I0f4c59a2928f2a813171109aaf73a1d7dff9eefe
(cherry picked from commit 251fab17b5
)
This commit is contained in:
parent
c6da46ea8d
commit
9afb3af6bb
@ -55,6 +55,7 @@ def url_path(url_path):
|
||||
p_url = rfc3986.urlparse(rfc3986.normalize_uri(url_path))
|
||||
|
||||
invalid_path = (
|
||||
re.search(r"\s", url_path) or
|
||||
p_url.scheme or p_url.userinfo or p_url.host or
|
||||
p_url.port or
|
||||
p_url.path is None or
|
||||
|
@ -44,6 +44,15 @@ class TestValidations(base.TestCase):
|
||||
self.assertRaises(exceptions.InvalidURL, validate.url,
|
||||
'ssh://www.example.com/')
|
||||
|
||||
def test_validate_url_path(self):
|
||||
self.assertTrue(validate.url_path('/foo'))
|
||||
self.assertTrue(validate.url_path('/foo%0Abar'))
|
||||
|
||||
def test_validate_bad_url_path(self):
|
||||
self.assertRaises(exceptions.InvalidURLPath, validate.url_path, 'foo')
|
||||
self.assertRaises(exceptions.InvalidURLPath, validate.url_path,
|
||||
'/foo\nbar')
|
||||
|
||||
def test_validate_header_name(self):
|
||||
ret = validate.header_name('Some-header')
|
||||
self.assertTrue(ret)
|
||||
|
@ -0,0 +1,7 @@
|
||||
---
|
||||
issues:
|
||||
- |
|
||||
Fixed configuration issue which allowed authenticated and authorized
|
||||
users to inject code into HAProxy configuration using API requests.
|
||||
Octavia API no longer accepts unencoded whitespace characters in url_path values
|
||||
in update requests for healthmonitors.
|
Loading…
Reference in New Issue
Block a user