From b8eb8b35810e8379e6f0560eb7c2883afd6798f8 Mon Sep 17 00:00:00 2001 From: Dmitrii Kabanov Date: Thu, 27 Sep 2018 09:46:52 -0700 Subject: [PATCH] Horizon: HTTP Verb Tampering vulnerability fix The patch fixes the HTTP verb tampering issue. The idea is to disable unnecessary HTTP methods for the Horizon. You can find a link to the description [0] and a link to the White Paper [1] below: CAPEC-274: HTTP Verb Tampering [0] https://capec.mitre.org/data/definitions/274.html Bypassing Web Authentication and Authorization with HTTP Verb Tampering (Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf) [1] https://dl.packetstormsecurity.net/papers/web/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf Change-Id: I98169973410bc1dce779ac1e870256b9a45d2cc8 --- horizon/templates/bin/_horizon.sh.tpl | 2 ++ horizon/values.yaml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/horizon/templates/bin/_horizon.sh.tpl b/horizon/templates/bin/_horizon.sh.tpl index 473d235447..8ff4a3c16e 100644 --- a/horizon/templates/bin/_horizon.sh.tpl +++ b/horizon/templates/bin/_horizon.sh.tpl @@ -27,6 +27,8 @@ function start () { # wsgi/horizon-http needs open files here, including secret_key_store chown -R horizon ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/ + a2enmod rewrite + if [ -f /etc/apache2/envvars ]; then # Loading Apache2 ENV variables source /etc/apache2/envvars diff --git a/horizon/values.yaml b/horizon/values.yaml index 039cc1e47b..180253c652 100644 --- a/horizon/values.yaml +++ b/horizon/values.yaml @@ -74,6 +74,9 @@ conf: WSGIProcessGroup horizon-http WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi WSGIPassAuthorization On + RewriteEngine on + RewriteCond %{REQUEST_METHOD} !^(POST|PUT|GET|DELETE) + RewriteRule .* - [F] Require all granted