PSARC 2015/110 OpenStack service updates for Juno
PSARC 2014/302 oslo.messaging - OpenStack RPC and notifications
PSARC 2014/303 concurrent.futures - high-level Python interface for asynchronous execution
PSARC 2014/304 networkx - Python module for complex networks
PSARC 2014/305 taskflow - Python module for task execution
PSARC 2014/329 pycadf - Python interface for CADF (cloud auditing)
PSARC 2014/330 posix_ipc - POSIX IPC primitives for Python
PSARC 2014/331 oauthlib - Python implementation of OAuth request-signing logic
PSARC 2015/058 oslo - OpenStack common libraries (context, db, i18n, middleware, serialization, utils, vmware)
PSARC 2015/059 glance_store - Glance storage library
PSARC 2015/060 ipaddr - an IPv4/IPv6 manipulation library in Python
PSARC 2015/061 simplegeneric - single-dispatch generic Python functions
PSARC 2015/062 wsme - Web Services Made Easy
PSARC 2015/063 retrying - General purpose Python retrying library
PSARC 2015/065 osprofiler - an OpenStack cross-project profiling library
PSARC 2015/066 OpenStack client for Sahara (Hadoop as a Service)
PSARC 2015/067 keystonemiddleware - Middleware for OpenStack Identity
PSARC 2015/068 pyScss - Compiler for the SCSS flavor of the Sass language
PSARC 2015/069 django-pyscss - pyScss support for Django
PSARC 2015/073 barbicanclient - OpenStack client for Barbican (Key Management)
PSARC 2015/074 pysendfile - Python interface to sendfile
PSARC 2015/097 ldappool - a connection pool for python-ldap
PSARC 2015/098 rfc3986 - URI reference validation module for Python
PSARC 2015/102 iniparse - python .ini file parsing module
20667775 OpenStack service updates for Juno (Umbrella)
18615101 Horizon should prevent network, subnet, and port names with hyphens in them
18772068 instance failed to launch with NoValidHost but no reason
18887457 openstack shouldn't deliver .po files
18905324 hostname.xml should set config/ignore_dhcp_hostname = true
18961031 Duplicate names for role-create and user-create are allowed
19015363 Users should not be allowed to attempt to create volumes when quota exceed
19050335 user appears logged in but unauthorised after horizon reboot
19144215 Instance manipulation buttons greyed out after all instances terminated
19249066 heat stack-preview doesn't appear to do anything
19313272 Need bottom slidebar in horizon for small browser windows
19462265 The Python module oslo.messaging should be added to Userland
19462397 The Python module futures should be added to Userland
19476604 The Python module networkx should be added to Userland
19476953 The Python module taskflow should be added to Userland
19519227 The Python module pycadf should be added to Userland
19582394 The Python module posix_ipc should be added to Userland
19598430 The Python module oauthlib should be added to Userland
19815780 nova package should have dependencies on brand-solaris and brand-solaris-kz
19883623 Image snapshots are missing 'instance_uuid' property
19887874 horizon should set up apache log rotation
19987962 Cinder lists additional volumes attached to instance with linuxy device names
20027791 horizon should be migrated to Apache 2.4
20164815 The Python module django-pyscss should be added to Userland
20173049 The Python module retrying should be added to Userland
20174489 The Python module WSME should be added to Userland
20176001 The Python module keystonemiddleware should be added to Userland
20182039 The Python module pysendfile should be added to Userland
20200162 The Python module pyScss should be added to Userland
20222184 horizon doesn't send start request on shutdown instance
20312312 The Python module python-saharaclient should be added to Userland
20514287 wrong vnic label name used for dhcp vnic in evs
20596802 The Python module oslo.middleware should be added to Userland
20596803 The Python module barbicanclient should be added to Userland
20596804 The Python module oslo.context should be added to Userland
20596805 The Python module iniparse should be added to Userland
20596806 The Python module oslo.vmware should be added to Userland
20596807 The Python module osprofiler should be added to Userland
20596808 The Python module oslo.i18n should be added to Userland
20596809 The Python module oslo.utils should be added to Userland
20596811 The Python module ipaddr should be added to Userland
20596812 The Python module glance_store should be added to Userland
20596813 The Python module oslo.serialization should be added to Userland
20596814 The Python module oslo.db should be added to Userland
20596815 The Python module simplegeneric should be added to Userland
20602690 The Python module ldappool should be added to Userland
20602722 The Python module rfc3986 should be added to Userland
20638369 compilemessages.py requires GNU msgfmt without calling gmsgfmt
20715741 cinder 2014.2.2
20715742 glance 2014.2.2
20715743 heat 2014.2.2
20715744 horizon 2014.2.2
20715745 keystone 2014.2.2
20715746 neutron 2014.2.2
20715747 nova 2014.2.2
20715748 swift 2.2.2
20715749 alembic 0.7.4
20715750 amqp 1.4.6
20715751 boto 2.34.0
20715752 ceilometerclient 1.0.12
20715753 cinderclient 1.1.1
20715754 cliff 1.9.0
20715756 django 1.4.19
20715757 django_compressor 1.4
20715758 django_openstack_auth 1.1.9
20715759 eventlet 0.15.2
20715761 glanceclient 0.15.0
20715762 greenlet 0.4.5
20715763 heatclient 0.2.12
20715764 keystoneclient 1.0.0
20715765 kombu 3.0.7
20715766 mysql 1.2.5
20715767 netaddr 0.7.13
20715769 netifaces 0.10.4
20715770 neutronclient 2.3.10
20715771 novaclient 2.20.0
20715772 oslo.config 1.6.0
20715773 py 1.4.26
20715774 pyflakes 0.8.1
20715775 pytest 2.6.4
20715776 pytz 2014.10
20715777 requests 2.6.0
20715778 simplejson 3.6.5
20715779 six 1.9.0
20715780 sqlalchemy-migrate 0.9.1
20715781 sqlalchemy 0.9.8
20715782 stevedore 1.2.0
20715783 swiftclient 2.3.1
20715784 tox 1.8.1
20715785 troveclient 1.0.8
20715786 virtualenv 12.0.7
20715787 websockify 0.6.0
Upstream patch to address CVE-2015-0259. This fix will be included in
the future 2014.2.3 (juno) release.
From 676ba7bbc788a528b0fe4c87c1c4bf94b4bb6eb1 Mon Sep 17 00:00:00 2001
From: Dave McCowan <[email protected]>
Date: Tue, 24 Feb 2015 21:35:48 -0500
Subject: [PATCH] Websocket Proxy should verify Origin header
If the Origin HTTP header passed in the WebSocket handshake does
not match the host, this could indicate an attempt at a
cross-site attack. This commit adds a check to verify
the origin matches the host.
Change-Id: Ica6ec23d6f69a236657d5ba0c3f51b693c633649
Closes-Bug: 1409142
---
nova/console/websocketproxy.py | 45 +++++++
nova/tests/console/test_websocketproxy.py | 185 ++++++++++++++++++++++++++++-
2 files changed, 226 insertions(+), 4 deletions(-)
diff --git a/nova/console/websocketproxy.py b/nova/console/websocketproxy.py
index ef684f5..7a1e056 100644
--- a/nova/console/websocketproxy.py
+++ b/nova/console/websocketproxy.py
@@ -22,17 +22,40 @@ import Cookie
import socket
import urlparse
+from oslo.config import cfg
import websockify
from nova.consoleauth import rpcapi as consoleauth_rpcapi
from nova import context
+from nova import exception
from nova.i18n import _
from nova.openstack.common import log as logging
LOG = logging.getLogger(__name__)
+CONF = cfg.CONF
+CONF.import_opt('novncproxy_base_url', 'nova.vnc')
+CONF.import_opt('html5proxy_base_url', 'nova.spice', group='spice')
+CONF.import_opt('base_url', 'nova.console.serial', group='serial_console')
+
class NovaProxyRequestHandlerBase(object):
+ def verify_origin_proto(self, console_type, origin_proto):
+ if console_type == 'novnc':
+ expected_proto = \
+ urlparse.urlparse(CONF.novncproxy_base_url).scheme
+ elif console_type == 'spice-html5':
+ expected_proto = \
+ urlparse.urlparse(CONF.spice.html5proxy_base_url).scheme
+ elif console_type == 'serial':
+ expected_proto = \
+ urlparse.urlparse(CONF.serial_console.base_url).scheme
+ else:
+ detail = _("Invalid Console Type for WebSocketProxy: '%s'") % \
+ console_type
+ raise exception.ValidationError(detail=detail)
+ return origin_proto == expected_proto
+
def new_websocket_client(self):
"""Called after a new WebSocket connection has been established."""
# Reopen the eventlet hub to make sure we don't share an epoll
@@ -62,6 +85,28 @@ class NovaProxyRequestHandlerBase(object):
if not connect_info:
raise Exception(_("Invalid Token"))
+ # Verify Origin
+ expected_origin_hostname = self.headers.getheader('Host')
+ if ':' in expected_origin_hostname:
+ e = expected_origin_hostname
+ expected_origin_hostname = e.split(':')[0]
+ origin_url = self.headers.getheader('Origin')
+ # missing origin header indicates non-browser client which is OK
+ if origin_url is not None:
+ origin = urlparse.urlparse(origin_url)
+ origin_hostname = origin.hostname
+ origin_scheme = origin.scheme
+ if origin_hostname == '' or origin_scheme == '':
+ detail = _("Origin header not valid.")
+ raise exception.ValidationError(detail=detail)
+ if expected_origin_hostname != origin_hostname:
+ detail = _("Origin header does not match this host.")
+ raise exception.ValidationError(detail=detail)
+ if not self.verify_origin_proto(connect_info['console_type'],
+ origin.scheme):
+ detail = _("Origin header protocol does not match this host.")
+ raise exception.ValidationError(detail=detail)
+
self.msg(_('connect info: %s'), str(connect_info))
host = connect_info['host']
port = int(connect_info['port'])
diff --git a/nova/tests/console/test_websocketproxy.py b/nova/tests/console/test_websocketproxy.py
index 1e51a4d..66913c2 100644
--- a/nova/tests/console/test_websocketproxy.py
+++ b/nova/tests/console/test_websocketproxy.py
@@ -16,10 +16,14 @@
import mock
+from oslo.config import cfg
from nova.console import websocketproxy
+from nova import exception
from nova import test
+CONF = cfg.CONF
+
class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
@@ -31,15 +35,82 @@ class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
self.wh.msg = mock.MagicMock()
self.wh.do_proxy = mock.MagicMock()
self.wh.headers = mock.MagicMock()
+ CONF.set_override('novncproxy_base_url',
+ 'https://example.net:6080/vnc_auto.html')
+ CONF.set_override('html5proxy_base_url',
+ 'https://example.net:6080/vnc_auto.html',
+ 'spice')
+
+ def _fake_getheader(self, header):
+ if header == 'cookie':
+ return 'token="123-456-789"'
+ elif header == 'Origin':
+ return 'https://example.net:6080'
+ elif header == 'Host':
+ return 'example.net:6080'
+ else:
+ return
+
+ def _fake_getheader_bad_token(self, header):
+ if header == 'cookie':
+ return 'token="XXX"'
+ elif header == 'Origin':
+ return 'https://example.net:6080'
+ elif header == 'Host':
+ return 'example.net:6080'
+ else:
+ return
+
+ def _fake_getheader_bad_origin(self, header):
+ if header == 'cookie':
+ return 'token="123-456-789"'
+ elif header == 'Origin':
+ return 'https://bad-origin-example.net:6080'
+ elif header == 'Host':
+ return 'example.net:6080'
+ else:
+ return
+
+ def _fake_getheader_blank_origin(self, header):
+ if header == 'cookie':
+ return 'token="123-456-789"'
+ elif header == 'Origin':
+ return ''
+ elif header == 'Host':
+ return 'example.net:6080'
+ else:
+ return
+
+ def _fake_getheader_no_origin(self, header):
+ if header == 'cookie':
+ return 'token="123-456-789"'
+ elif header == 'Origin':
+ return None
+ elif header == 'Host':
+ return 'any-example.net:6080'
+ else:
+ return
+
+ def _fake_getheader_http(self, header):
+ if header == 'cookie':
+ return 'token="123-456-789"'
+ elif header == 'Origin':
+ return 'http://example.net:6080'
+ elif header == 'Host':
+ return 'example.net:6080'
+ else:
+ return
@mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
def test_new_websocket_client(self, check_token):
check_token.return_value = {
'host': 'node1',
- 'port': '10000'
+ 'port': '10000',
+ 'console_type': 'novnc'
}
self.wh.socket.return_value = '<socket>'
self.wh.path = "ws://127.0.0.1/?token=123-456-789"
+ self.wh.headers.getheader = self._fake_getheader
self.wh.new_websocket_client()
@@ -52,6 +123,7 @@ class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
check_token.return_value = False
self.wh.path = "ws://127.0.0.1/?token=XXX"
+ self.wh.headers.getheader = self._fake_getheader
self.assertRaises(Exception, self.wh.new_websocket_client) # noqa
check_token.assert_called_with(mock.ANY, token="XXX")
@@ -60,11 +132,12 @@ class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
def test_new_websocket_client_novnc(self, check_token):
check_token.return_value = {
'host': 'node1',
- 'port': '10000'
+ 'port': '10000',
+ 'console_type': 'novnc'
}
self.wh.socket.return_value = '<socket>'
self.wh.path = "http://127.0.0.1/"
- self.wh.headers.getheader.return_value = "token=123-456-789"
+ self.wh.headers.getheader = self._fake_getheader
self.wh.new_websocket_client()
@@ -77,7 +150,111 @@ class NovaProxyRequestHandlerBaseTestCase(test.TestCase):
check_token.return_value = False
self.wh.path = "http://127.0.0.1/"
- self.wh.headers.getheader.return_value = "token=XXX"
+ self.wh.headers.getheader = self._fake_getheader_bad_token
self.assertRaises(Exception, self.wh.new_websocket_client) # noqa
check_token.assert_called_with(mock.ANY, token="XXX")
+
+ @mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
+ def test_new_websocket_client_novnc_bad_origin_header(self, check_token):
+ check_token.return_value = {
+ 'host': 'node1',
+ 'port': '10000',
+ 'console_type': 'novnc'
+ }
+
+ self.wh.path = "http://127.0.0.1/"
+ self.wh.headers.getheader = self._fake_getheader_bad_origin
+
+ self.assertRaises(exception.ValidationError,
+ self.wh.new_websocket_client)
+
+ @mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
+ def test_new_websocket_client_novnc_blank_origin_header(self, check_token):
+ check_token.return_value = {
+ 'host': 'node1',
+ 'port': '10000',
+ 'console_type': 'novnc'
+ }
+
+ self.wh.path = "http://127.0.0.1/"
+ self.wh.headers.getheader = self._fake_getheader_blank_origin
+
+ self.assertRaises(exception.ValidationError,
+ self.wh.new_websocket_client)
+
+ @mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
+ def test_new_websocket_client_novnc_no_origin_header(self, check_token):
+ check_token.return_value = {
+ 'host': 'node1',
+ 'port': '10000',
+ 'console_type': 'novnc'
+ }
+ self.wh.socket.return_value = '<socket>'
+ self.wh.path = "http://127.0.0.1/"
+ self.wh.headers.getheader = self._fake_getheader_no_origin
+
+ self.wh.new_websocket_client()
+
+ check_token.assert_called_with(mock.ANY, token="123-456-789")
+ self.wh.socket.assert_called_with('node1', 10000, connect=True)
+ self.wh.do_proxy.assert_called_with('<socket>')
+
+ @mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
+ def test_new_websocket_client_novnc_bad_origin_proto_vnc(self,
+ check_token):
+ check_token.return_value = {
+ 'host': 'node1',
+ 'port': '10000',
+ 'console_type': 'novnc'
+ }
+
+ self.wh.path = "http://127.0.0.1/"
+ self.wh.headers.getheader = self._fake_getheader_http
+
+ self.assertRaises(exception.ValidationError,
+ self.wh.new_websocket_client)
+
+ @mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
+ def test_new_websocket_client_novnc_bad_origin_proto_spice(self,
+ check_token):
+ check_token.return_value = {
+ 'host': 'node1',
+ 'port': '10000',
+ 'console_type': 'spice-html5'
+ }
+
+ self.wh.path = "http://127.0.0.1/"
+ self.wh.headers.getheader = self._fake_getheader_http
+
+ self.assertRaises(exception.ValidationError,
+ self.wh.new_websocket_client)
+
+ @mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
+ def test_new_websocket_client_novnc_bad_origin_proto_serial(self,
+ check_token):
+ check_token.return_value = {
+ 'host': 'node1',
+ 'port': '10000',
+ 'console_type': 'serial'
+ }
+
+ self.wh.path = "http://127.0.0.1/"
+ self.wh.headers.getheader = self._fake_getheader_http
+
+ self.assertRaises(exception.ValidationError,
+ self.wh.new_websocket_client)
+
+ @mock.patch('nova.consoleauth.rpcapi.ConsoleAuthAPI.check_token')
+ def test_new_websocket_client_novnc_bad_console_type(self, check_token):
+ check_token.return_value = {
+ 'host': 'node1',
+ 'port': '10000',
+ 'console_type': 'bad-console-type'
+ }
+
+ self.wh.path = "http://127.0.0.1/"
+ self.wh.headers.getheader = self._fake_getheader
+
+ self.assertRaises(exception.ValidationError,
+ self.wh.new_websocket_client)
--
1.7.9.5