openstack
/
swift
Code Issues Proposed changes

proxy to be able to deny request to invalid hostnames 

Change-Id: I974f729da60e5ab9453daf9e52466b3e1af5c69b
This commit is contained in:
David Goetz 2012-04-12 12:46:03 -07:00
parent a77cbc2892
commit 40cbff9fd3
3 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
etc/proxy-server.conf-sample
View File

@ -57,6 +57,8 @@ use = egg:swift#proxy
# This is a comma separated list of account hashes that ignore the # This is a comma separated list of account hashes that ignore the
# max_containers_per_account cap. # max_containers_per_account cap.
# max_containers_whitelist = # max_containers_whitelist =
# comma separated list of Host headers the proxy will be deny requests to
# deny_host_headers =
[filter:tempauth] [filter:tempauth]
use = egg:swift#tempauth use = egg:swift#tempauth

5
swift/proxy/server.py
View File

@ -1841,6 +1841,8 @@ class BaseApplication(object):
self.max_containers_whitelist = [a.strip() self.max_containers_whitelist = [a.strip()
for a in conf.get('max_containers_whitelist', '').split(',') for a in conf.get('max_containers_whitelist', '').split(',')
if a.strip()] if a.strip()]
self.deny_host_headers = [host.strip() for host in
conf.get('deny_host_headers', '').split(',') if host.strip()]
def get_controller(self, path): def get_controller(self, path):
""" """
@ -1925,6 +1927,9 @@ class BaseApplication(object):
return HTTPPreconditionFailed(request=req, body='Invalid UTF8') return HTTPPreconditionFailed(request=req, body='Invalid UTF8')
if not controller: if not controller:
return HTTPPreconditionFailed(request=req, body='Bad URL') return HTTPPreconditionFailed(request=req, body='Bad URL')
if self.deny_host_headers and \
req.host.split(':')[0] in self.deny_host_headers:
return HTTPForbidden(request=req, body='Invalid host header')
controller = controller(self, **path_parts) controller = controller(self, **path_parts)
if 'swift.trans_id' not in req.environ: if 'swift.trans_id' not in req.environ:

13
test/unit/proxy/test_server.py
View File

@ -741,6 +741,19 @@ class TestProxyServer(unittest.TestCase):
finally: finally:
rmtree(swift_dir, ignore_errors=True) rmtree(swift_dir, ignore_errors=True)
def test_denied_host_header(self):
swift_dir = mkdtemp()
try:
baseapp = proxy_server.BaseApplication({'swift_dir': swift_dir,
'deny_host_headers': 'invalid_host.com'},
FakeMemcache(), NullLoggingHandler(), FakeRing(), FakeRing(),
FakeRing())
resp = baseapp.handle_request(
Request.blank('/v1/a/c/o',
environ={'HTTP_HOST': 'invalid_host.com'}))
self.assertEquals(resp.status, '403 Forbidden')
finally:
rmtree(swift_dir, ignore_errors=True)
class TestObjectController(unittest.TestCase): class TestObjectController(unittest.TestCase):