delta/openstack/nova.git/nova/console, branch master opendev.org: openstack/nova.git Fix typos 2022-05-30T12:10:00+00:00 Rajesh Tailor ratailor@redhat.com 2022-05-23T11:26:20+00:00 2521810e553593f8d02adeef0f089b60bc7f71a6 This change fixes some of the typos in unit tests as well as in nova code-base. Change-Id: I209bbb270baf889fcb2b9a4d1ce0ab4a962d0d0e 
This change fixes some of the typos in unit tests as well
as in nova code-base.

Change-Id: I209bbb270baf889fcb2b9a4d1ce0ab4a962d0d0e
Merge "console: Improve logging" 2021-09-07T14:29:08+00:00 Zuul zuul@review.opendev.org 2021-09-07T14:29:08+00:00 b124ceab04005d289aa675738a3bfb5a416a4191 






address open redirect with 3 forward slashes
2021-08-23T14:51:06+00:00

Sean Mooney
work@seanmooney.info

2021-08-23T14:37:48+00:00

6fbd0b758dcac71323f3be179b1a9d1c17a4acc5

Ie36401c782f023d1d5f2623732619105dc2cfa24 was intended
to address OSSA-2021-002 (CVE-2021-3654) however after its
release it was discovered that the fix only worked
for urls with 2 leading slashes or more then 4.

This change adresses the missing edgecase for 3 leading slashes
and also maintian support for rejecting 2+.

Change-Id: I95f68be76330ff09e5eabb5ef8dd9a18f5547866
co-authored-by: Matteo Pozza
Closes-Bug: #1927677





Ie36401c782f023d1d5f2623732619105dc2cfa24 was intended
to address OSSA-2021-002 (CVE-2021-3654) however after its
release it was discovered that the fix only worked
for urls with 2 leading slashes or more then 4.

This change adresses the missing edgecase for 3 leading slashes
and also maintian support for rejecting 2+.

Change-Id: I95f68be76330ff09e5eabb5ef8dd9a18f5547866
co-authored-by: Matteo Pozza
Closes-Bug: #1927677







Reject open redirection in the console proxy
2021-05-14T15:26:00+00:00

melanie witt
melwittt@gmail.com

2021-05-13T05:43:42+00:00

781612b33282ed298f742c85dab58a075c8b793e

Our console proxies (novnc, serial, spice) run in a websockify server
whose request handler inherits from the python standard
SimpleHTTPRequestHandler. There is a known issue [1] in the
SimpleHTTPRequestHandler which allows open redirects by way of URLs
in the following format:

  http://vncproxy.my.domain.com//example.com/%2F..

which if visited, will redirect a user to example.com.

We can intercept a request and reject requests that pass a redirection
URL beginning with "//" by implementing the
SimpleHTTPRequestHandler.send_head() method containing the
vulnerability to reject such requests with a 400 Bad Request.

This code is copied from a patch suggested in one of the issue comments
[2].

Closes-Bug: #1927677

[1] https://bugs.python.org/issue32084
[2] https://bugs.python.org/issue32084#msg306545

Change-Id: Ie36401c782f023d1d5f2623732619105dc2cfa24





Our console proxies (novnc, serial, spice) run in a websockify server
whose request handler inherits from the python standard
SimpleHTTPRequestHandler. There is a known issue [1] in the
SimpleHTTPRequestHandler which allows open redirects by way of URLs
in the following format:

  http://vncproxy.my.domain.com//example.com/%2F..

which if visited, will redirect a user to example.com.

We can intercept a request and reject requests that pass a redirection
URL beginning with "//" by implementing the
SimpleHTTPRequestHandler.send_head() method containing the
vulnerability to reject such requests with a 400 Bad Request.

This code is copied from a patch suggested in one of the issue comments
[2].

Closes-Bug: #1927677

[1] https://bugs.python.org/issue32084
[2] https://bugs.python.org/issue32084#msg306545

Change-Id: Ie36401c782f023d1d5f2623732619105dc2cfa24







Remove references to 'sys.version_info'
2021-04-21T11:02:27+00:00

Stephen Finucane
stephenfin@redhat.com

2020-10-05T16:49:08+00:00

bab3c8f3cba87b75d271308ef35dada18afaa03b

We support Python 3.6 as a minimum now, making these checks no-ops.

Change-Id: I5ca2439c948687022f8d88df978bc7ee77199fcc
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>





We support Python 3.6 as a minimum now, making these checks no-ops.

Change-Id: I5ca2439c948687022f8d88df978bc7ee77199fcc
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>







console: Improve logging
2021-03-03T10:43:02+00:00

Stephen Finucane
stephenfin@redhat.com

2021-03-02T17:49:49+00:00

be6927a28f9e2ea22193813fc907343069a8e131

The logs emitted when VeNCrypt is enabled are rather unhelpful and have
some broken formatting:

  Got version string 'b'RFB 003.008'' from compute node
  Got version string 'b'RFB 003.008'' from tenant
  The server sent security types [19]
  Using security type 19 with server, None with client
  Server sent VeNCrypt version 0.2
  Server supports VeNCrypt sub-types (260,)
  Attempting to use the x509None (AuthVeNCryptSubtype.X509NONE) auth sub-type
  Server accepted the requested sub-auth type

There are a couple of issues here:

- We're not decoding bytestrings resulting in 'b' prefixes
- We're emitting the integer code for type information but not the names
- We're calling 'str' on an enum value which returns the name of the
  enum rather than the value

Resolve all of these, resulting in a far more pleasant log:

  Got version string 'RFB 003.008' from compute node
  Got version string 'RFB 003.008' from tenant
  Server sent security types: 19 (VENCRYPT)
  Using security type 19 (VENCRYPT) with server, 1 (NONE) with client
  Server sent VeNCrypt version 0.2
  Server supports VeNCrypt subtypes: 260 (X509NONE)
  Attempting to use the 260 (X509NONE) VeNCrypt auth subtype
  Server accepted the requested VeNCrypt auth subtype

Change-Id: I3e19e4765afdcb427dea1cd4beada2871239928a
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>





The logs emitted when VeNCrypt is enabled are rather unhelpful and have
some broken formatting:

  Got version string 'b'RFB 003.008'' from compute node
  Got version string 'b'RFB 003.008'' from tenant
  The server sent security types [19]
  Using security type 19 with server, None with client
  Server sent VeNCrypt version 0.2
  Server supports VeNCrypt sub-types (260,)
  Attempting to use the x509None (AuthVeNCryptSubtype.X509NONE) auth sub-type
  Server accepted the requested sub-auth type

There are a couple of issues here:

- We're not decoding bytestrings resulting in 'b' prefixes
- We're emitting the integer code for type information but not the names
- We're calling 'str' on an enum value which returns the name of the
  enum rather than the value

Resolve all of these, resulting in a far more pleasant log:

  Got version string 'RFB 003.008' from compute node
  Got version string 'RFB 003.008' from tenant
  Server sent security types: 19 (VENCRYPT)
  Using security type 19 (VENCRYPT) with server, 1 (NONE) with client
  Server sent VeNCrypt version 0.2
  Server supports VeNCrypt subtypes: 260 (X509NONE)
  Attempting to use the 260 (X509NONE) VeNCrypt auth subtype
  Server accepted the requested VeNCrypt auth subtype

Change-Id: I3e19e4765afdcb427dea1cd4beada2871239928a
Signed-off-by: Stephen Finucane <stephenfin@redhat.com>







Remove six.text_type (1/2)
2020-12-13T11:25:31+00:00

Takashi Natsume
takanattie@gmail.com

2020-05-14T14:35:21+00:00

383e2a8bdcc9210cbe9719d3470fe15b787d46b0

Replace six.text_type with str.
A subsequent patch will replace other six.text_type.

Change-Id: I23bb9e539d08f5c6202909054c2dd49b6c7a7a0e
Implements: blueprint six-removal
Signed-off-by: Takashi Natsume <takanattie@gmail.com>





Replace six.text_type with str.
A subsequent patch will replace other six.text_type.

Change-Id: I23bb9e539d08f5c6202909054c2dd49b6c7a7a0e
Implements: blueprint six-removal
Signed-off-by: Takashi Natsume <takanattie@gmail.com>







Remove six.binary_type/integer_types/string_types
2020-12-13T11:25:14+00:00

Takashi Natsume
takanattie@gmail.com

2020-05-14T12:04:12+00:00

07462dd0050fbfea89e517759b312b67a368e279

Replace the following items with Python 3 style code.

- six.binary_type
- six.integer_types
- six.string_types

Subsequent patches will replace other six usages.

Change-Id: Ide65686cf02463045f5c32771ca949802b19636f
Implements: blueprint six-removal
Signed-off-by: Takashi Natsume <takanattie@gmail.com>





Replace the following items with Python 3 style code.

- six.binary_type
- six.integer_types
- six.string_types

Subsequent patches will replace other six usages.

Change-Id: Ide65686cf02463045f5c32771ca949802b19636f
Implements: blueprint six-removal
Signed-off-by: Takashi Natsume <takanattie@gmail.com>







Remove six.byte2int/int2byte
2020-11-07T03:25:40+00:00

Takashi Natsume
takanattie@gmail.com

2020-05-13T14:13:13+00:00

f6d74eabfc48251a3a601835f6ce28f301307db8

Replace the following items with Python 3 style code.

- six.byte2int
- six.int2byte
- six.u
- six.b
- six.unichr
- six.get_method_self
- six.wraps

Subsequent patches will replace other six usages.

Change-Id: I931e717cd18b866c9577089b1237b663513c173e
Implements: blueprint six-removal
Signed-off-by: Takashi Natsume <takanattie@gmail.com>





Replace the following items with Python 3 style code.

- six.byte2int
- six.int2byte
- six.u
- six.b
- six.unichr
- six.get_method_self
- six.wraps

Subsequent patches will replace other six usages.

Change-Id: I931e717cd18b866c9577089b1237b663513c173e
Implements: blueprint six-removal
Signed-off-by: Takashi Natsume <takanattie@gmail.com>







Remove six.moves
2020-11-07T03:25:02+00:00

Takashi Natsume
takanattie@gmail.com

2020-05-12T14:52:10+00:00

1d0a0e8c2068c01366575bb989f15c2fd8962154

Replace the following items with Python 3 style code.

- six.moves.configparser
- six.moves.StringIO
- six.moves.cStringIO
- six.moves.urllib
- six.moves.builtins
- six.moves.range
- six.moves.xmlrpc_client
- six.moves.http_client
- six.moves.http_cookies
- six.moves.queue
- six.moves.zip
- six.moves.reload_module
- six.StringIO
- six.BytesIO

Subsequent patches will replace other six usages.

Change-Id: Ib2c406327fef2fb4868d8050fc476a7d17706e23
Implements: blueprint six-removal
Signed-off-by: Takashi Natsume <takanattie@gmail.com>





Replace the following items with Python 3 style code.

- six.moves.configparser
- six.moves.StringIO
- six.moves.cStringIO
- six.moves.urllib
- six.moves.builtins
- six.moves.range
- six.moves.xmlrpc_client
- six.moves.http_client
- six.moves.http_cookies
- six.moves.queue
- six.moves.zip
- six.moves.reload_module
- six.StringIO
- six.BytesIO

Subsequent patches will replace other six usages.

Change-Id: Ib2c406327fef2fb4868d8050fc476a7d17706e23
Implements: blueprint six-removal
Signed-off-by: Takashi Natsume <takanattie@gmail.com>