Merge "Horizon: HTTP Verb Tampering vulnerability fix"

2018-10-01 07:34:14 +00:00 · 2018-10-01 07:34:14 +00:00 · 653ee1330b
commit 653ee1330b
parent 0f6b734946 b8eb8b3581
2 changed files with 5 additions and 0 deletions
--- a/horizon/templates/bin/_horizon.sh.tpl
+++ b/horizon/templates/bin/_horizon.sh.tpl
@ -27,6 +27,8 @@ function start () {
  # wsgi/horizon-http needs open files here, including secret_key_store
  chown -R horizon ${SITE_PACKAGES_ROOT}/openstack_dashboard/local/

+  a2enmod rewrite
+
  if [ -f /etc/apache2/envvars ]; then
     # Loading Apache2 ENV variables
     source /etc/apache2/envvars
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@ -74,6 +74,9 @@ conf:
          WSGIProcessGroup horizon-http
          WSGIScriptAlias / /var/www/cgi-bin/horizon/django.wsgi
          WSGIPassAuthorization On
+          RewriteEngine on
+          RewriteCond %{REQUEST_METHOD} !^(POST|PUT|GET|DELETE)
+          RewriteRule .* - [F]

          <Location "/">
              Require all granted