Enable no_parent and file_only security

The websockify package was recently upgraded to version 0.5.1, which added two parameters that provide additional security: * no_parent - returns 403 response if contents out of the web root are requested. Required to disable directory traversal. * file_only - returns 404 response if non-file contents are requested. Required to disable directory listing. This version is available in PyPi. Nova should upgrade it's required version for websockify, and set these parameters while creating and starting the NovaWebSocketProxy to ensure better security. DocImpact Fixes bug #1195700 Change-Id: I9c4b28eb1b384048f10d365ed204b916afd371bb
2013-07-02 07:01:44 -07:00
parent bcd5e9cd58
commit 3eb67b811a
2 changed files with 3 additions and 1 deletions
--- a/nova/cmd/novncproxy.py
+++ b/nova/cmd/novncproxy.py
@@ -77,6 +77,8 @@ def main():
                                   daemon=CONF.daemon,
                                   record=CONF.record,
                                   web=CONF.web,
+                                   file_only=True,
+                                   no_parent=True,
                                   target_host='ignore',
                                   target_port='ignore',
                                   wrap_mode='exit',
--- a/requirements.txt
+++ b/requirements.txt
@@ -27,7 +27,7 @@ python-glanceclient>=0.9.0
 python-keystoneclient>=0.2.0
 six
 stevedore>=0.10
-websockify<0.4
+websockify>=0.5.1,<0.6
 pyparsing>=1.5.7,<2.0 # order-dependent python-quantumclient req, bug 1191866

 -f http://tarballs.openstack.org/oslo.config/oslo.config-1.2.0a3.tar.gz#egg=oslo.config-1.2.0a3