 781612b332
			
		
	
	781612b332
	
	
	
		
			
			Our console proxies (novnc, serial, spice) run in a websockify server whose request handler inherits from the python standard SimpleHTTPRequestHandler. There is a known issue [1] in the SimpleHTTPRequestHandler which allows open redirects by way of URLs in the following format: http://vncproxy.my.domain.com//example.com/%2F.. which if visited, will redirect a user to example.com. We can intercept a request and reject requests that pass a redirection URL beginning with "//" by implementing the SimpleHTTPRequestHandler.send_head() method containing the vulnerability to reject such requests with a 400 Bad Request. This code is copied from a patch suggested in one of the issue comments [2]. Closes-Bug: #1927677 [1] https://bugs.python.org/issue32084 [2] https://bugs.python.org/issue32084#msg306545 Change-Id: Ie36401c782f023d1d5f2623732619105dc2cfa24
		
			
				
	
	
		
			20 lines
		
	
	
		
			837 B
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			20 lines
		
	
	
		
			837 B
		
	
	
	
		
			YAML
		
	
	
	
	
	
| ---
 | |
| security:
 | |
|   - |
 | |
|     A vulnerability in the console proxies (novnc, serial, spice) that allowed
 | |
|     open redirection has been `patched`_. The novnc, serial, and spice console
 | |
|     proxies are implemented as websockify servers and the request handler
 | |
|     inherits from the python standard SimpleHTTPRequestHandler. There is a
 | |
|     `known issue`_ in the SimpleHTTPRequestHandler which allows open redirects
 | |
|     by way of URLs in the following format::
 | |
| 
 | |
|       http://vncproxy.my.domain.com//example.com/%2F..
 | |
| 
 | |
|     which if visited, will redirect a user to example.com.
 | |
| 
 | |
|     The novnc, serial, and spice console proxies will now reject requests that
 | |
|     pass a redirection URL beginning with "//" with a 400 Bad Request.
 | |
| 
 | |
|     .. _patched: https://bugs.launchpad.net/nova/+bug/1927677
 | |
|     .. _known issue: https://bugs.python.org/issue32084
 |