From: Ernesto Puerta <epuertat@redhat.com>
Date: Thu, 13 May 2021 15:43:56 +0000 (+0200)
Subject: mgr/dashboard: fix cookie injection issue
X-Git-Tag: v16.2.4~1
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=af3fffab3b0f13057134d96e5d481e400d8bfd27;p=ceph.git

mgr/dashboard: fix cookie injection issue

Fixes: CVE-2021-3509
Signed-off-by: Ernesto Puerta <epuertat@redhat.com>
(cherry picked from commit b39922818bc57cde1b016e9ad41908b18063b93b)
---

diff --git a/src/pybind/mgr/dashboard/controllers/docs.py b/src/pybind/mgr/dashboard/controllers/docs.py
index 295a36ad8559..e7ed9742ab9d 100644
--- a/src/pybind/mgr/dashboard/controllers/docs.py
+++ b/src/pybind/mgr/dashboard/controllers/docs.py
@@ -8,7 +8,7 @@ import cherrypy
 
 from .. import DEFAULT_VERSION, mgr
 from ..api.doc import Schema, SchemaInput, SchemaType
-from . import ENDPOINT_MAP, BaseController, Controller, Endpoint, allow_empty_body
+from . import ENDPOINT_MAP, BaseController, Controller, Endpoint
 
 NO_DESCRIPTION_AVAILABLE = "*No description available*"
 
@@ -383,31 +383,13 @@ class Docs(BaseController):
     def api_all_json(self):
         return self._gen_spec(True, "/")
 
-    def _swagger_ui_page(self, all_endpoints=False, token=None):
+    def _swagger_ui_page(self, all_endpoints=False):
         base = cherrypy.request.base
         if all_endpoints:
             spec_url = "{}/docs/api-all.json".format(base)
         else:
             spec_url = "{}/docs/api.json".format(base)
 
-        auth_header = cherrypy.request.headers.get('authorization')
-        auth_cookie = cherrypy.request.cookie['token']
-        jwt_token = ""
-        if auth_cookie is not None:
-            jwt_token = auth_cookie.value
-        elif auth_header is not None:
-            scheme, params = auth_header.split(' ', 1)
-            if scheme.lower() == 'bearer':
-                jwt_token = params
-        else:
-            if token is not None:
-                jwt_token = token
-
-        api_key_callback = """, onComplete: () => {{
-                        ui.preauthorizeApiKey('jwt', '{}');
-                    }}
-        """.format(jwt_token)
-
         page = """
         <!DOCTYPE html>
         <html>
@@ -448,14 +430,13 @@ class Docs(BaseController):
                         SwaggerUIBundle.presets.apis
                     ],
                     layout: "BaseLayout"
-                    {}
                 }})
                 window.ui = ui
             }}
         </script>
         </body>
         </html>
-        """.format(spec_url, api_key_callback)
+        """.format(spec_url)
 
         return page
 
@@ -463,12 +444,6 @@ class Docs(BaseController):
     def __call__(self, all_endpoints=False):
         return self._swagger_ui_page(all_endpoints)
 
-    @Endpoint('POST', path="/", json_response=False,
-              query_params="{all_endpoints}", version=None)
-    @allow_empty_body
-    def _with_token(self, token, all_endpoints=False):
-        return self._swagger_ui_page(all_endpoints, token)
-
 
 if __name__ == "__main__":
     import sys