openbmc REST API has too permissive CORS policy

Nishanth S nishanths1992 at gmail.com
Thu Jan 23 12:50:20 AEDT 2020


Hi All,

     The BMC REST API effectively allows cross-origin requests from any
domain to almost all URLs. If a user accesses the API from a browser, then
any other malicious website visited in that browser will be able to access
the REST API without the user's knowledge.

At line 1329 of rest_dbus.py [1], if the request contains an Origin header,
the
REST server adds that origin to the "Access-Control-Allow-Origin" of the
response:

    def process_origin():
        origin = request.headers.get('Origin')
        if origin:

*            response.add_header('Access-Control-Allow-Origin', origin)
        response.add_header('Access-Control-Allow-Credentials', 'true')*

Browsers use the Access-Control-Allow-Origin header to determine which
other origins are allowed to send cross-origin requests to the REST API.
This
effectively allows all origins to send cross-origin requests. This header
is
applied to all property and method accesses through the API.

    What is the significance of this?

Thank you,
Nishanth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200122/c74425b6/attachment.htm>


More information about the openbmc mailing list