openbmc REST API has too permissive CORS policy
Nishanth S
nishanths1992 at gmail.com
Thu Jan 23 12:50:20 AEDT 2020
Hi All,
The BMC REST API effectively allows cross-origin requests from any
domain to almost all URLs. If a user accesses the API from a browser, then
any other malicious website visited in that browser will be able to access
the REST API without the user's knowledge.
At line 1329 of rest_dbus.py [1], if the request contains an Origin header,
the
REST server adds that origin to the "Access-Control-Allow-Origin" of the
response:
def process_origin():
origin = request.headers.get('Origin')
if origin:
* response.add_header('Access-Control-Allow-Origin', origin)
response.add_header('Access-Control-Allow-Credentials', 'true')*
Browsers use the Access-Control-Allow-Origin header to determine which
other origins are allowed to send cross-origin requests to the REST API.
This
effectively allows all origins to send cross-origin requests. This header
is
applied to all property and method accesses through the API.
What is the significance of this?
Thank you,
Nishanth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20200122/c74425b6/attachment.htm>
More information about the openbmc
mailing list