Browse Source

proxy to be able to deny request to invalid hostnames

Change-Id: I974f729da60e5ab9453daf9e52466b3e1af5c69b
changes/99/6499/2
David Goetz 10 years ago
parent
commit
40cbff9fd3
  1. 2
      etc/proxy-server.conf-sample
  2. 5
      swift/proxy/server.py
  3. 13
      test/unit/proxy/test_server.py

2
etc/proxy-server.conf-sample

@ -57,6 +57,8 @@ use = egg:swift#proxy
# This is a comma separated list of account hashes that ignore the
# max_containers_per_account cap.
# max_containers_whitelist =
# comma separated list of Host headers the proxy will be deny requests to
# deny_host_headers =
[filter:tempauth]
use = egg:swift#tempauth

5
swift/proxy/server.py

@ -1841,6 +1841,8 @@ class BaseApplication(object):
self.max_containers_whitelist = [a.strip()
for a in conf.get('max_containers_whitelist', '').split(',')
if a.strip()]
self.deny_host_headers = [host.strip() for host in
conf.get('deny_host_headers', '').split(',') if host.strip()]
def get_controller(self, path):
"""
@ -1925,6 +1927,9 @@ class BaseApplication(object):
return HTTPPreconditionFailed(request=req, body='Invalid UTF8')
if not controller:
return HTTPPreconditionFailed(request=req, body='Bad URL')
if self.deny_host_headers and \
req.host.split(':')[0] in self.deny_host_headers:
return HTTPForbidden(request=req, body='Invalid host header')
controller = controller(self, **path_parts)
if 'swift.trans_id' not in req.environ:

13
test/unit/proxy/test_server.py

@ -741,6 +741,19 @@ class TestProxyServer(unittest.TestCase):
finally:
rmtree(swift_dir, ignore_errors=True)
def test_denied_host_header(self):
swift_dir = mkdtemp()
try:
baseapp = proxy_server.BaseApplication({'swift_dir': swift_dir,
'deny_host_headers': 'invalid_host.com'},
FakeMemcache(), NullLoggingHandler(), FakeRing(), FakeRing(),
FakeRing())
resp = baseapp.handle_request(
Request.blank('/v1/a/c/o',
environ={'HTTP_HOST': 'invalid_host.com'}))
self.assertEquals(resp.status, '403 Forbidden')
finally:
rmtree(swift_dir, ignore_errors=True)
class TestObjectController(unittest.TestCase):

Loading…
Cancel
Save