diff options
author | melanie witt <melwittt@gmail.com> | 2021-05-13 05:43:42 +0000 |
---|---|---|
committer | melanie witt <melwittt@gmail.com> | 2021-05-17 17:00:44 +0000 |
commit | 6b70350bdcf59a9712f88b6435ba2c6500133e5b (patch) | |
tree | cffe0e1bc2507e258aa025352ab6e1a35f3199a8 /releasenotes | |
parent | e954a56fec69637ebd671643d41bb0ecc85a2656 (diff) | |
download | nova-6b70350bdcf59a9712f88b6435ba2c6500133e5b.tar.gz |
Reject open redirection in the console proxy
Our console proxies (novnc, serial, spice) run in a websockify server
whose request handler inherits from the python standard
SimpleHTTPRequestHandler. There is a known issue [1] in the
SimpleHTTPRequestHandler which allows open redirects by way of URLs
in the following format:
http://vncproxy.my.domain.com//example.com/%2F..
which if visited, will redirect a user to example.com.
We can intercept a request and reject requests that pass a redirection
URL beginning with "//" by implementing the
SimpleHTTPRequestHandler.send_head() method containing the
vulnerability to reject such requests with a 400 Bad Request.
This code is copied from a patch suggested in one of the issue comments
[2].
Closes-Bug: #1927677
[1] https://bugs.python.org/issue32084
[2] https://bugs.python.org/issue32084#msg306545
Conflicts:
nova/console/websocketproxy.py
nova/tests/unit/console/test_websocketproxy.py
NOTE(melwitt): The conflicts are because the following changes are not
in Victoria:
Ib2c406327fef2fb4868d8050fc476a7d17706e23 (Remove six.moves)
I58b0382c86d4ef798572edb63d311e0e3e6937bb (Refactor and rename
test_tcp_rst_no_compute_rpcapi)
Change-Id: Ie36401c782f023d1d5f2623732619105dc2cfa24
(cherry picked from commit 781612b33282ed298f742c85dab58a075c8b793e)
(cherry picked from commit 470925614223c8dd9b1233f54f5a96c02b2d4f70)
Diffstat (limited to 'releasenotes')
-rw-r--r-- | releasenotes/notes/console-proxy-reject-open-redirect-4ac0a7895acca7eb.yaml | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/releasenotes/notes/console-proxy-reject-open-redirect-4ac0a7895acca7eb.yaml b/releasenotes/notes/console-proxy-reject-open-redirect-4ac0a7895acca7eb.yaml new file mode 100644 index 0000000000..ce05b9a867 --- /dev/null +++ b/releasenotes/notes/console-proxy-reject-open-redirect-4ac0a7895acca7eb.yaml @@ -0,0 +1,19 @@ +--- +security: + - | + A vulnerability in the console proxies (novnc, serial, spice) that allowed + open redirection has been `patched`_. The novnc, serial, and spice console + proxies are implemented as websockify servers and the request handler + inherits from the python standard SimpleHTTPRequestHandler. There is a + `known issue`_ in the SimpleHTTPRequestHandler which allows open redirects + by way of URLs in the following format:: + + http://vncproxy.my.domain.com//example.com/%2F.. + + which if visited, will redirect a user to example.com. + + The novnc, serial, and spice console proxies will now reject requests that + pass a redirection URL beginning with "//" with a 400 Bad Request. + + .. _patched: https://bugs.launchpad.net/nova/+bug/1927677 + .. _known issue: https://bugs.python.org/issue32084 |