proxy to be able to deny request to invalid hostnames
Change-Id: I974f729da60e5ab9453daf9e52466b3e1af5c69b
This commit is contained in:
parent
a77cbc2892
commit
40cbff9fd3
|
@ -57,6 +57,8 @@ use = egg:swift#proxy
|
||||||
# This is a comma separated list of account hashes that ignore the
|
# This is a comma separated list of account hashes that ignore the
|
||||||
# max_containers_per_account cap.
|
# max_containers_per_account cap.
|
||||||
# max_containers_whitelist =
|
# max_containers_whitelist =
|
||||||
|
# comma separated list of Host headers the proxy will be deny requests to
|
||||||
|
# deny_host_headers =
|
||||||
|
|
||||||
[filter:tempauth]
|
[filter:tempauth]
|
||||||
use = egg:swift#tempauth
|
use = egg:swift#tempauth
|
||||||
|
|
|
@ -1841,6 +1841,8 @@ class BaseApplication(object):
|
||||||
self.max_containers_whitelist = [a.strip()
|
self.max_containers_whitelist = [a.strip()
|
||||||
for a in conf.get('max_containers_whitelist', '').split(',')
|
for a in conf.get('max_containers_whitelist', '').split(',')
|
||||||
if a.strip()]
|
if a.strip()]
|
||||||
|
self.deny_host_headers = [host.strip() for host in
|
||||||
|
conf.get('deny_host_headers', '').split(',') if host.strip()]
|
||||||
|
|
||||||
def get_controller(self, path):
|
def get_controller(self, path):
|
||||||
"""
|
"""
|
||||||
|
@ -1925,6 +1927,9 @@ class BaseApplication(object):
|
||||||
return HTTPPreconditionFailed(request=req, body='Invalid UTF8')
|
return HTTPPreconditionFailed(request=req, body='Invalid UTF8')
|
||||||
if not controller:
|
if not controller:
|
||||||
return HTTPPreconditionFailed(request=req, body='Bad URL')
|
return HTTPPreconditionFailed(request=req, body='Bad URL')
|
||||||
|
if self.deny_host_headers and \
|
||||||
|
req.host.split(':')[0] in self.deny_host_headers:
|
||||||
|
return HTTPForbidden(request=req, body='Invalid host header')
|
||||||
|
|
||||||
controller = controller(self, **path_parts)
|
controller = controller(self, **path_parts)
|
||||||
if 'swift.trans_id' not in req.environ:
|
if 'swift.trans_id' not in req.environ:
|
||||||
|
|
|
@ -741,6 +741,19 @@ class TestProxyServer(unittest.TestCase):
|
||||||
finally:
|
finally:
|
||||||
rmtree(swift_dir, ignore_errors=True)
|
rmtree(swift_dir, ignore_errors=True)
|
||||||
|
|
||||||
|
def test_denied_host_header(self):
|
||||||
|
swift_dir = mkdtemp()
|
||||||
|
try:
|
||||||
|
baseapp = proxy_server.BaseApplication({'swift_dir': swift_dir,
|
||||||
|
'deny_host_headers': 'invalid_host.com'},
|
||||||
|
FakeMemcache(), NullLoggingHandler(), FakeRing(), FakeRing(),
|
||||||
|
FakeRing())
|
||||||
|
resp = baseapp.handle_request(
|
||||||
|
Request.blank('/v1/a/c/o',
|
||||||
|
environ={'HTTP_HOST': 'invalid_host.com'}))
|
||||||
|
self.assertEquals(resp.status, '403 Forbidden')
|
||||||
|
finally:
|
||||||
|
rmtree(swift_dir, ignore_errors=True)
|
||||||
|
|
||||||
class TestObjectController(unittest.TestCase):
|
class TestObjectController(unittest.TestCase):
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue