openstack/octavia
Code Issues Proposed changes
Files
6c52fd0e46c1a1d2b7f631af1c1e393c19a69a06
octavia/releasenotes/notes/fixed-API-validation-for-L7-rules-and-session-cookies-cb88f3f1b90171f9.yaml
Tom Weininger 6c52fd0e46 Validate L7Rule value and cookie name 
Adds validations in L7 rule and session cookie APIs in order to prevent
authenticated and authorized users to inject code into HAProxy
configuration. CR and LF (\r and \n) are no longer allowed in L7
rule keys and values. The session persistence cookie names must follow
the rules described in
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie.

Story: 2008994
Task: 44859
Change-Id: Ic370e9edc3fb5548e9cf0d66b85df66e01c41e79
(cherry picked from commit 3cf866dbc0)
(cherry picked from commit 133ec4763d)
(cherry picked from commit c30aa9df22)
2022-06-20 08:42:24 +02:00

10 lines
407 B
YAML
Raw Blame History

---
fixes:
- |
Fixed validations in L7 rule and session cookie APIs in order to prevent
authenticated and authorized users to inject code into HAProxy
configuration. CR and LF (\r and \n) are no longer allowed in L7 rule
keys and values. The session persistence cookie names must follow the rules
described in
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie.
View Git Blame Copy Permalink