yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1986545] Re: websockfiy open redirection unit test broken with Python >= 3.10.6 standard lib

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: melanie witt <1986545@xxxxxxxxxxxxxxxxxx>
Date: Wed, 30 Nov 2022 17:41:38 -0000
Reply-to: Bug 1986545 <1986545@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

The fix for the vulnerability in cpython has been backported to older
versions:

https://python-security.readthedocs.io/vuln/http-server-redirection.html

so we will need to fix our unit tests for older branches as well.

** Also affects: nova/yoga
   Importance: Undecided
       Status: New

** Also affects: nova/xena
   Importance: Undecided
       Status: New

** Also affects: nova/victoria
   Importance: Undecided
       Status: New

** Also affects: nova/wallaby
   Importance: Undecided
       Status: New

** Also affects: nova/train
   Importance: Undecided
       Status: New

** Also affects: nova/ussuri
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1986545

Title:
  websockfiy open redirection unit test broken with Python >= 3.10.6
  standard lib

Status in OpenStack Compute (nova):
  Fix Released
Status in OpenStack Compute (nova) train series:
  New
Status in OpenStack Compute (nova) ussuri series:
  New
Status in OpenStack Compute (nova) victoria series:
  New
Status in OpenStack Compute (nova) wallaby series:
  New
Status in OpenStack Compute (nova) xena series:
  New
Status in OpenStack Compute (nova) yoga series:
  New

Bug description:
  Lucas Nussbaum reported this Debian bug:

  https://bugs.debian.org/1017217

  so I started investigating it. It took me a while to understand it was
  due to a change in the Python 3.10.6 standard http/server.py library.

  Running these 2 unit tests against Python 3.10.5 works:

  test_websocketproxy.NovaProxyRequestHandlerTestCase.test_reject_open_redirect
  console.test_websocketproxy.NovaProxyRequestHandlerTestCase.test_reject_open_redirect_3_slashes

  However, under Python 3.10.6, this fails. The reason isn't the
  interpreter itself, but the standard library, which has additional
  open redirection protection.

  Looking at the changelog here:
  https://docs.python.org/3/whatsnew/changelog.html

  we see this issue:
  https://github.com/python/cpython/issues/87389

  which has been addressed by this commit:
  https://github.com/python/cpython/commit/defaa2b19a9a01c79c1d5641a8aa179bb10ead3f

  If I "fix" the Python 3.10.5 standard library using the 2 lines of
  code of the first hunk of this patch, then I can reproduce the issue.

  I guess that the unit testing should be skipped if using Python >=
  3.10.6, probably, or adapted somehow. I leave this to the Nova
  maintainers: for the Debian package, I'll just skip these 2 unit
  tests.

  Cheers,

  Thomas Goirand (zigo)

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1986545/+subscriptions

References

[Bug 1986545] [NEW] websockfiy open redirection unit test broken with Python >= 3.10.6 standard lib
From: Thomas Goirand, 2022-08-15