From 8964d431995a785cfe232ae4caa28a9d4a2013ed Mon Sep 17 00:00:00 2001 From: Marc Gariepy Date: Mon, 11 Nov 2024 16:02:11 -0500 Subject: [PATCH] Fix encoded url bypass Fix path when url was encoded with '%2F.git/HEAD' Change-Id: Ia8742720e3a995fb254be395a64af6fe29fa8a50 --- inventory/group_vars/nova_all/haproxy_service.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/inventory/group_vars/nova_all/haproxy_service.yml b/inventory/group_vars/nova_all/haproxy_service.yml index 2774d86c58..09966ed790 100644 --- a/inventory/group_vars/nova_all/haproxy_service.yml +++ b/inventory/group_vars/nova_all/haproxy_service.yml @@ -72,7 +72,7 @@ haproxy_nova_spice_console_service: haproxy_accept_both_protocols: "{{ nova_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and 'spice' in nova_console_proxy_types }}" haproxy_frontend_raw: - - "http-request deny if { path -m sub /. }" + - "http-request deny if { path,url_dec -m sub /. }" haproxy_nova_serial_console_service: haproxy_service_name: nova_serial_console @@ -91,7 +91,7 @@ haproxy_nova_serial_console_service: haproxy_service_enabled: "{{ (groups['nova_console'] is defined and groups['nova_console'] | length > 0 and 'serialconsole' in nova_console_proxy_types) or (groups['ironic_console'] is defined and groups['ironic_console'] | length > 0 and 'serialconsole' in nova_console_proxy_types) }}" haproxy_frontend_raw: - - "http-request deny if { path -m sub /. }" + - "http-request deny if { path,url_dec -m sub /. }" haproxy_nova_novnc_console_service: haproxy_service_name: nova_novnc_console @@ -109,7 +109,7 @@ haproxy_nova_novnc_console_service: haproxy_accept_both_protocols: "{{ nova_accept_both_protocols | default(openstack_service_accept_both_protocols) }}" haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and 'novnc' in nova_console_proxy_types }}" haproxy_frontend_raw: - - "http-request deny if { path -m sub /. }" + - "http-request deny if { path,url_dec -m sub /. }" # NOTE(jrosser) Clean up legacy console haproxy configs from previous releases haproxy_nova_console_service: