Bug 1359791

Summary: python-autobahn: Incorrectly checks the Origin header when the 'allowedOrigins' value is set
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, ayoung, chrisw, cvsbot-xmlrpc, dprince, jcoufal, jjoyce, jschluet, jujens, kbasil, lhh, lpeer, markmc, mburns, rbryant, rhos-maint, sclewis, slong, tdecacqu
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: python-autobahn 0.15 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-16 00:51:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1359792, 1367635    
Bug Blocks: 1359793    

Description Andrej Nemec 2016-07-25 12:52:58 UTC 
Autobahn|Python incorrectly checks the Origin header when the 'allowedOrigins' value is set. This can allow third parties to execute legitimate requests for WAMP WebSocket requests against an Autobahn|Python/Crossbar.io server within another browser's context.

Upstream bug:

https://github.com/crossbario/autobahn-python/issues/691

Upstream fixes (second one only adds documentation):

https://github.com/crossbario/autobahn-python/pull/693/commits/2ef13a6804054de74eb36455b58a64a3c701f889
https://github.com/crossbario/autobahn-python/pull/693/commits/13357252435442e8372be731f176260acedc40e0
Comment 1 Andrej Nemec 2016-07-25 12:53:32 UTC 
Created python-autobahn tracking bugs for this issue:

Affects: fedora-24 [bug 1359792]
Comment 2 Fedora Update System 2016-08-04 20:54:37 UTC 
python-autobahn-0.10.9-1.gitcf10233.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Dan Prince 2016-09-23 15:45:48 UTC 
OSP 10 will use zaqar in the undercloud. The websockets interface for Zaqar does require autobahn and we are using it from both Mistral workflows and the UI to help transport async messages to clients.

I'm not aware of a BZ which outlines all of our usages patterns. Zaqar has multiple transports. We will typically:

1) send messages to a Zaqar queue over HTTP

2) get messages from a Zaqar queue over either HTTP or via websockets (autobahn). The case for websockets could come from either python-tripleoclient (a remote client) or from the UI running in a web browser.