Horizon: HTTP Verb Tampering vulnerability fix

The patch fixes the HTTP verb tampering issue. The idea is to disable unnecessary HTTP methods for the Horizon. You can find a link to the description [0] and a link to the White Paper [1] below: CAPEC-274: HTTP Verb Tampering [0] https://capec.mitre.org/data/definitions/274.html Bypassing Web Authentication and Authorization with HTTP Verb Tampering (Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf) [1] https://dl.packetstormsecurity.net/papers/web/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf Change-Id: I98169973410bc1dce779ac1e870256b9a45d2cc8
2018-09-27 09:46:52 -07:00 · 2018-09-27 09:46:52 -07:00 · b8eb8b3581
commit b8eb8b3581
parent c573ba198f
2 changed files with 5 additions and 0 deletions
--- a/horizon/templates/bin/_horizon.sh.tpl
+++ b/horizon/templates/bin/_horizon.sh.tpl
@ -27,6 +27,8 @@ function start () {
  # wsgi/horizon-http needs open files here, including secret_key_store
  chown -R horizon ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/

+  a2enmod rewrite
+
  if [ -f /etc/apache2/envvars ]; then
     # Loading Apache2 ENV variables
     source /etc/apache2/envvars
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@ -74,6 +74,9 @@ conf:
          WSGIProcessGroup horizon-http
          WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi
          WSGIPassAuthorization On
+          RewriteEngine on
+          RewriteCond %{REQUEST_METHOD} !^(POST|PUT|GET|DELETE)
+          RewriteRule .* - [F]

          <Location "/">
              Require all granted