Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1482903

Summary: [DOCS] vague behavior of a "corsAllowedOrigins" parameter in a "master-config.yaml" configuration file
Product: OpenShift Container Platform Reporter: Alexander Zagaynov <azagayno>
Component: DocumentationAssignee: Ashley Hardin <ahardin>
Status: CLOSED CURRENTRELEASE QA Contact: Johnny Liu <jialiu>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: high    
Version: 3.4.0CC: aos-bugs, dcaldwel, jialiu, jliggitt, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: 3.10-release-plan
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1512708 (view as bug list) Environment:
Last Closed: 2018-04-11 21:15:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1512708    

Description Alexander Zagaynov 2017-08-18 11:13:53 UTC 
Description of problem:

"corsAllowedOrigins" parameter in a "master-config.yaml" configuration file behavior is either not documented well or leads to a possible security leak.
It is possible to set it to "something" and both "something" and "something.hostile.com" in an "Origin:" HTTP header will be matched as valid.
It is also possible to set it to "127.0.0.1" and "127a0b0c1" will be matched as valid.

Version-Release number of selected component (if applicable):

- not applicable

How reproducible:

- see description above

Steps to Reproduce:

- see description above

Actual results:

- see description above

Expected results:

- see description above

Additional info:

https://github.com/openshift/origin/blob/master/vendor/github.com/emicklei/go-restful/cors_filter.go#L195
https://github.com/openshift/origin/blob/master/vendor/github.com/emicklei/go-restful/cors_filter.go#L145
https://github.com/kubernetes/apiserver/blob/master/pkg/server/filters/cors.go#L91
https://github.com/kubernetes/apiserver/blob/master/pkg/server/filters/cors.go#L46
https://golang.org/pkg/regexp/#Compile
Comment 1 Jordan Liggitt 2017-08-19 01:12:38 UTC 
Correct. It is a regular expression, fully under the control of the config field (i.e. no pinning or escaping is done to the value)

We can update documentation to make that clearer
Comment 2 Alexander Zagaynov 2017-08-30 11:55:31 UTC 
I've added a PR to `openshift-ansible` repo about that: https://github.com/openshift/openshift-ansible/pull/5264
Comment 4 Jordan Liggitt 2018-04-06 20:29:18 UTC 
added comment in issue
Comment 5 Johnny Liu 2018-04-09 11:12:31 UTC 
LGTM.
Comment 6 Ashley Hardin 2018-04-11 21:15:49 UTC 
Content is now published:
https://access.redhat.com/documentation/en-us/openshift_container_platform/3.9/html/architecture/infrastructure-components#architecture-infrastructure-components-web-console