[openstack-dev] [nova] cross-site console web socket proxies no longer work

Mike Dorman mdorman at godaddy.com
Mon Jul 13 19:20:33 UTC 2015


I noticed in Kilo there’s a validation check in the console web socket proxies to ensure the hostnames from the Origin and Host headers match.  This was as a result of CVE-2015-0259 (https://bugs.launchpad.net/nova/+bug/1409142).  Effectively it disabled cross-site web socket connections.

This is OK for Horizon, but we also run our own custom UI that’s on a different hostname from the console proxy servers.  Therefore we need to have the cross-site connections work.  I have opened https://bugs.launchpad.net/nova/+bug/1474079 for this.

My thought is to add a new nova configuration parameter which would list additional allowed Origin hosts for the proxy servers.  And add those to the check at https://github.com/openstack/nova/blob/master/nova/console/websocketproxy.py#L116

I will probably go ahead and implement that for us internally, but interested in opinions on this approach for upstream Nova purposes.  I’m happy to do the work, but want to make sure this is generally in line with what the community would accept first.

Thanks,
Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150713/07fbc2d2/attachment.html>


More information about the OpenStack-dev mailing list