[Openstack-security] [openstack/oslo.middleware] SecurityImpact review request change I50a70d477613025d3e54e4ee773bbb1d6fcf2e68
gerrit2 at review.openstack.org
gerrit2 at review.openstack.org
Mon Mar 7 10:47:48 UTC 2016
Hi, I'd like you to take a look at this patch for potential
SecurityImpact.
https://review.openstack.org/283052
Log:
commit f62c3a74c07238d91efb17e9ac64373f08894490
Author: Juan Antonio Osorio Robles <jaosorior at redhat.com>
Date: Mon Feb 22 14:07:50 2016 +0200
Disable http_proxy_to_wsgi middleware by default
Having this middleware as default is very convenient for deployments,
since this enables the application to handle the appropriate headers
correctly in order to deal with SSL, which is nice to have out of the
box. Heat, for instance, has already taken this middleware as default.
However, having this act on the headers by default may not be so
desirable, as the application may not be in front of a proxy, and thus
will have nothing that parses or strips the X-Forwarded-* headers.
Which can lead to security problems.
Thus, this patch proposes the enabling of this functionality through a
configuration option. This will enable more projects to take this
middleware into use by default, and the deployer would only need to
change one configuration file; while leaving the paste configuration
intact.
Change-Id: I50a70d477613025d3e54e4ee773bbb1d6fcf2e68
SecurityImpact
More information about the Openstack-security
mailing list