OpenStack Compute (nova)

  1. Bug #1927677
  2. Comment #76

Comment 76 for bug 1927677

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/train)

Reviewed: https://review.opendev.org/c/openstack/nova/+/791807
Committed: https://opendev.org/openstack/nova/commit/04d48527b62a35d912f93bc75613a6cca606df66
Submitter: "Zuul (22348)"
Branch: stable/train

commit 04d48527b62a35d912f93bc75613a6cca606df66
Author: melanie witt <email address hidden>
Date: Thu May 13 05:43:42 2021 +0000

    Reject open redirection in the console proxy

    NOTE(melwitt): This is the combination of two commits, the bug fix and
    a followup change to the unit test to enable it also run on
    Python < 3.6.

    Our console proxies (novnc, serial, spice) run in a websockify server
    whose request handler inherits from the python standard
    SimpleHTTPRequestHandler. There is a known issue [1] in the
    SimpleHTTPRequestHandler which allows open redirects by way of URLs
    in the following format:

      http://vncproxy.my.domain.com//example.com/%2F..

    which if visited, will redirect a user to example.com.

    We can intercept a request and reject requests that pass a redirection
    URL beginning with "//" by implementing the
    SimpleHTTPRequestHandler.send_head() method containing the
    vulnerability to reject such requests with a 400 Bad Request.

    This code is copied from a patch suggested in one of the issue comments
    [2].

    Closes-Bug: #1927677

    [1] https://bugs.python.org/issue32084
    [2] https://bugs.python.org/issue32084#msg306545

    Conflicts:
        nova/tests/unit/console/test_websocketproxy.py

    NOTE(melwitt): The conflict is because change
    I23ac1cc79482d0fabb359486a4b934463854cae5 (Allow TLS ciphers/protocols
    to be configurable for console proxies) is not in Train.

    NOTE(melwitt): The difference from the cherry picked change:
    HTTPStatus.BAD_REQUEST => 400 is due to the fact that HTTPStatus does
    not exist in Python 2.7.

    Reduce mocking in test_reject_open_redirect for compat

    This is a followup for change Ie36401c782f023d1d5f2623732619105dc2cfa24
    to reduce mocking in the unit test coverage for it.

    While backporting the bug fix, it was found to be incompatible with
    earlier versions of Python < 3.6 due to a difference in internal
    implementation [1].

    This reduces the mocking in the unit test to be more agnostic to the
    internals of the StreamRequestHandler (ancestor of
    SimpleHTTPRequestHandler) and work across Python versions >= 2.7.

    Related-Bug: #1927677

    [1] https://github.com/python/cpython/commit/34eeed42901666fce099947f93dfdfc05411f286

    Change-Id: I546d376869a992601b443fb95acf1034da2a8f36
    (cherry picked from commit 214cabe6848a1fdb4f5941d994c6cc11107fc4af)
    (cherry picked from commit 9c2f29783734cb5f9cb05a08d328c10e1d16c4f1)
    (cherry picked from commit 94e265f3ca615aa18de0081a76975019997b8709)
    (cherry picked from commit d43b88a33407b1253e7bce70f720a44f7688141f)

    Change-Id: Ie36401c782f023d1d5f2623732619105dc2cfa24
    (cherry picked from commit 781612b33282ed298f742c85dab58a075c8b793e)
    (cherry picked from commit 470925614223c8dd9b1233f54f5a96c02b2d4f70)
    (cherry picked from commit 6b70350bdcf59a9712f88b6435ba2c6500133e5b)
    (cherry picked from commit 719e651e6be277950632e0c2cf5cc9a018344e7b)