Comment 18 for bug 1927677

Reviewed: https://review.opendev.org/c/openstack/nova/+/791577
Committed: https://opendev.org/openstack/nova/commit/470925614223c8dd9b1233f54f5a96c02b2d4f70
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit 470925614223c8dd9b1233f54f5a96c02b2d4f70
Author: melanie witt <email address hidden>
Date: Thu May 13 05:43:42 2021 +0000

    Reject open redirection in the console proxy

    Our console proxies (novnc, serial, spice) run in a websockify server
    whose request handler inherits from the python standard
    SimpleHTTPRequestHandler. There is a known issue [1] in the
    SimpleHTTPRequestHandler which allows open redirects by way of URLs
    in the following format:

      http://vncproxy.my.domain.com//example.com/%2F..

    which if visited, will redirect a user to example.com.

    We can intercept a request and reject requests that pass a redirection
    URL beginning with "//" by implementing the
    SimpleHTTPRequestHandler.send_head() method containing the
    vulnerability to reject such requests with a 400 Bad Request.

    This code is copied from a patch suggested in one of the issue comments
    [2].

    Closes-Bug: #1927677

    [1] https://bugs.python.org/issue32084
    [2] https://bugs.python.org/issue32084#msg306545

    Change-Id: Ie36401c782f023d1d5f2623732619105dc2cfa24
    (cherry picked from commit 781612b33282ed298f742c85dab58a075c8b793e)