Comment 77 for bug 1927677

Reviewed: https://review.opendev.org/c/openstack/nova/+/806629
Committed: https://opendev.org/openstack/nova/commit/8906552cfc2525a44251d4cf313ece61e57251eb
Submitter: "Zuul (22348)"
Branch: stable/train

commit 8906552cfc2525a44251d4cf313ece61e57251eb
Author: Sean Mooney <email address hidden>
Date: Mon Aug 23 15:37:48 2021 +0100

    address open redirect with 3 forward slashes

    Ie36401c782f023d1d5f2623732619105dc2cfa24 was intended
    to address OSSA-2021-002 (CVE-2021-3654) however after its
    release it was discovered that the fix only worked
    for urls with 2 leading slashes or more then 4.

    This change adresses the missing edgecase for 3 leading slashes
    and also maintian support for rejecting 2+.

    Conflicts:
      nova/console/websocketproxy.py
      nova/tests/unit/console/test_websocketproxy.py

    NOTE(melwitt): The conflict and difference in websocketproxy.py from
    the cherry picked change: HTTPStatus.BAD_REQUEST => 400 is due to the
    fact that HTTPStatus does not exist in Python 2.7. The conflict in
    test_websocketproxy.py is because change
    I23ac1cc79482d0fabb359486a4b934463854cae5 (Allow TLS ciphers/protocols
    to be configurable for console proxies) is not in Train. The difference
    in test_websocketproxy.py from the cherry picked change is due to a
    difference in internal implementation [1] in Python < 3.6. See change
    I546d376869a992601b443fb95acf1034da2a8f36 for reference.

    [1] https://github.com/python/cpython/commit/34eeed42901666fce099947f93dfdfc05411f286

    Change-Id: I95f68be76330ff09e5eabb5ef8dd9a18f5547866
    co-authored-by: Matteo Pozza
    Closes-Bug: #1927677
    (cherry picked from commit 6fbd0b758dcac71323f3be179b1a9d1c17a4acc5)
    (cherry picked from commit 47dad4836a26292e9d34e516e1525ecf00be127c)
    (cherry picked from commit 9588cdbfd4649ea53d60303f2d10c5d62a070a07)
    (cherry picked from commit 0997043f459ac616b594363b5b253bd0ae6ed9eb)