)]}'
{"id":"openstack%2Fnova~163033","triplet_id":"openstack%2Fnova~master~Ica6ec23d6f69a236657d5ba0c3f51b693c633649","project":"openstack/nova","branch":"master","topic":"bug/1409142","hashtags":[],"change_id":"Ica6ec23d6f69a236657d5ba0c3f51b693c633649","subject":"Websocket Proxy should verify Origin header","status":"MERGED","created":"2015-03-10 15:00:24.000000000","updated":"2015-03-17 06:18:37.000000000","submitted":"2015-03-12 15:31:08.000000000","submitter":{"_account_id":3,"name":"Jenkins","username":"jenkins"},"total_comment_count":4,"unresolved_comment_count":0,"has_review_started":true,"meta_rev_id":"d92607d4d7bfa06f51f96463010b09d1a94eaddd","_number":163033,"virtual_id_number":163033,"owner":{"_account_id":9311,"name":"Tristan Cacqueray","email":"tdecacqu@redhat.com","username":"tristanC"},"actions":{},"labels":{"Verified":{"approved":{"_account_id":3,"name":"Jenkins","username":"jenkins"},"all":[{"value":0,"date":"2015-03-12 12:32:43.000000000","_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},{"value":0,"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},{"value":0,"date":"2015-03-12 19:35:22.000000000","post_submit":true,"permitted_voting_range":{"min":0,"max":1},"_account_id":9578,"name":"DB Datasets CI","email":"turbo-hipster@lists.rcbops.com","username":"turbo-hipster","tags":["SERVICE_USER"]},{"value":0,"date":"2015-03-12 04:42:45.000000000","permitted_voting_range":{"min":0,"max":1},"_account_id":10118,"name":"IBM PowerKVM CI","email":"kvmpower@linux.vnet.ibm.com","username":"powerkvm","tags":["SERVICE_USER"]},{"value":0,"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},{"value":0,"_account_id":12898,"name":"Tony Breeds","email":"tony@bakeyournoodle.com","username":"tonyb"},{"value":2,"date":"2015-03-12 15:31:08.000000000","_account_id":3,"name":"Jenkins","username":"jenkins"},{"value":0,"_account_id":7677,"name":"Solly Ross","email":"sross@redhat.com","username":"sross"},{"value":0,"_account_id":2750,"name":"Sean Dague","email":"sean@dague.net","username":"sdague"},{"value":0,"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},{"value":0,"date":"2015-03-12 04:29:40.000000000","_account_id":11103,"name":"Intel PCI CI","email":"otc_cloud@163.com","username":"intelotccloud","inactive":true,"tags":["SERVICE_USER"]},{"value":0,"date":"2015-03-12 13:42:19.000000000","_account_id":9311,"name":"Tristan Cacqueray","email":"tdecacqu@redhat.com","username":"tristanC"},{"value":0,"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},{"value":0,"_account_id":2230,"name":"Paul McMillan","email":"paul@mcmillan.ws","username":"paul-mcmillan"},{"value":0,"date":"2015-03-17 06:18:37.000000000","post_submit":true,"_account_id":9008,"name":"VMware NSX CI","username":"vmwareminesweeper","tags":["SERVICE_USER"]},{"value":-1,"date":"2015-03-12 05:22:21.000000000","_account_id":10385,"name":"Citrix XenServer CI","username":"citrix_xenserver_ci","tags":["SERVICE_USER"]},{"value":0,"_account_id":6802,"name":"Joel Coffman","email":"jmc7tp@gmail.com","username":"joel-coffman"},{"value":0,"_account_id":7730,"name":"Sahid Orentino Ferdjaoui","email":"sahid.ferdjaoui@industrialdiscipline.com","username":"sahid"},{"value":0,"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},{"value":0,"_account_id":1779,"name":"Daniel Berrange","email":"berrange@redhat.com","username":"berrange"}],"values":{"-2":"Fails","-1":"Doesn\u0027t seem to work"," 0":"No score","+1":"Works for me","+2":"Verified"},"description":"","default_value":0,"optional":true},"Code-Review":{"approved":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"all":[{"value":0,"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},{"value":2,"date":"2015-03-12 14:22:58.000000000","permitted_voting_range":{"min":2,"max":2},"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},{"value":0,"_account_id":9578,"name":"DB Datasets CI","email":"turbo-hipster@lists.rcbops.com","username":"turbo-hipster","tags":["SERVICE_USER"]},{"value":0,"_account_id":10118,"name":"IBM PowerKVM CI","email":"kvmpower@linux.vnet.ibm.com","username":"powerkvm","tags":["SERVICE_USER"]},{"value":0,"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},{"value":1,"date":"2015-03-12 05:56:55.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":12898,"name":"Tony Breeds","email":"tony@bakeyournoodle.com","username":"tonyb"},{"value":0,"_account_id":3,"name":"Jenkins","username":"jenkins"},{"value":0,"_account_id":7677,"name":"Solly Ross","email":"sross@redhat.com","username":"sross"},{"value":2,"date":"2015-03-12 10:57:47.000000000","_account_id":2750,"name":"Sean Dague","email":"sean@dague.net","username":"sdague"},{"value":0,"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},{"value":0,"_account_id":11103,"name":"Intel PCI CI","email":"otc_cloud@163.com","username":"intelotccloud","inactive":true,"tags":["SERVICE_USER"]},{"value":0,"_account_id":9311,"name":"Tristan Cacqueray","email":"tdecacqu@redhat.com","username":"tristanC"},{"value":0,"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},{"value":0,"_account_id":2230,"name":"Paul McMillan","email":"paul@mcmillan.ws","username":"paul-mcmillan"},{"value":0,"_account_id":9008,"name":"VMware NSX CI","username":"vmwareminesweeper","tags":["SERVICE_USER"]},{"value":0,"_account_id":10385,"name":"Citrix XenServer CI","username":"citrix_xenserver_ci","tags":["SERVICE_USER"]},{"value":0,"_account_id":6802,"name":"Joel Coffman","email":"jmc7tp@gmail.com","username":"joel-coffman"},{"value":0,"_account_id":7730,"name":"Sahid Orentino Ferdjaoui","email":"sahid.ferdjaoui@industrialdiscipline.com","username":"sahid"},{"value":1,"date":"2015-03-12 13:55:22.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},{"value":0,"_account_id":1779,"name":"Daniel Berrange","email":"berrange@redhat.com","username":"berrange"}],"values":{"-2":"Do not merge","-1":"This patch needs further work before it can be merged"," 0":"No score","+1":"Looks good to me, but someone else must approve","+2":"Looks good to me (core reviewer)"},"description":"","default_value":0,"optional":true},"Workflow":{"approved":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"all":[{"value":0,"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},{"value":1,"date":"2015-03-12 14:22:58.000000000","permitted_voting_range":{"min":1,"max":1},"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},{"value":0,"_account_id":9578,"name":"DB Datasets CI","email":"turbo-hipster@lists.rcbops.com","username":"turbo-hipster","tags":["SERVICE_USER"]},{"value":0,"_account_id":10118,"name":"IBM PowerKVM CI","email":"kvmpower@linux.vnet.ibm.com","username":"powerkvm","tags":["SERVICE_USER"]},{"value":0,"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},{"value":0,"_account_id":12898,"name":"Tony Breeds","email":"tony@bakeyournoodle.com","username":"tonyb"},{"value":0,"_account_id":3,"name":"Jenkins","username":"jenkins"},{"value":0,"_account_id":7677,"name":"Solly Ross","email":"sross@redhat.com","username":"sross"},{"value":0,"_account_id":2750,"name":"Sean Dague","email":"sean@dague.net","username":"sdague"},{"value":0,"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},{"value":0,"_account_id":11103,"name":"Intel PCI CI","email":"otc_cloud@163.com","username":"intelotccloud","inactive":true,"tags":["SERVICE_USER"]},{"value":0,"_account_id":9311,"name":"Tristan Cacqueray","email":"tdecacqu@redhat.com","username":"tristanC"},{"value":0,"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},{"value":0,"date":"2015-03-12 13:36:49.000000000","_account_id":2230,"name":"Paul McMillan","email":"paul@mcmillan.ws","username":"paul-mcmillan"},{"value":0,"_account_id":9008,"name":"VMware NSX CI","username":"vmwareminesweeper","tags":["SERVICE_USER"]},{"value":0,"_account_id":10385,"name":"Citrix XenServer CI","username":"citrix_xenserver_ci","tags":["SERVICE_USER"]},{"value":0,"_account_id":6802,"name":"Joel Coffman","email":"jmc7tp@gmail.com","username":"joel-coffman"},{"value":0,"_account_id":7730,"name":"Sahid Orentino Ferdjaoui","email":"sahid.ferdjaoui@industrialdiscipline.com","username":"sahid"},{"value":0,"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},{"value":0,"_account_id":1779,"name":"Daniel Berrange","email":"berrange@redhat.com","username":"berrange"}],"values":{"-1":"Work in progress"," 0":"Ready for reviews","+1":"Approved"},"description":"","default_value":0,"optional":true},"Review-Priority":{"all":[{"value":0,"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},{"value":0,"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},{"value":0,"_account_id":9578,"name":"DB Datasets CI","email":"turbo-hipster@lists.rcbops.com","username":"turbo-hipster","tags":["SERVICE_USER"]},{"value":0,"_account_id":10118,"name":"IBM PowerKVM CI","email":"kvmpower@linux.vnet.ibm.com","username":"powerkvm","tags":["SERVICE_USER"]},{"value":0,"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},{"value":0,"_account_id":12898,"name":"Tony Breeds","email":"tony@bakeyournoodle.com","username":"tonyb"},{"value":0,"_account_id":3,"name":"Jenkins","username":"jenkins"},{"value":0,"_account_id":7677,"name":"Solly Ross","email":"sross@redhat.com","username":"sross"},{"value":0,"_account_id":2750,"name":"Sean Dague","email":"sean@dague.net","username":"sdague"},{"value":0,"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},{"value":0,"_account_id":11103,"name":"Intel PCI CI","email":"otc_cloud@163.com","username":"intelotccloud","inactive":true,"tags":["SERVICE_USER"]},{"value":0,"_account_id":9311,"name":"Tristan Cacqueray","email":"tdecacqu@redhat.com","username":"tristanC"},{"value":0,"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},{"value":0,"_account_id":2230,"name":"Paul McMillan","email":"paul@mcmillan.ws","username":"paul-mcmillan"},{"value":0,"_account_id":9008,"name":"VMware NSX CI","username":"vmwareminesweeper","tags":["SERVICE_USER"]},{"value":0,"_account_id":10385,"name":"Citrix XenServer CI","username":"citrix_xenserver_ci","tags":["SERVICE_USER"]},{"value":0,"_account_id":6802,"name":"Joel Coffman","email":"jmc7tp@gmail.com","username":"joel-coffman"},{"value":0,"_account_id":7730,"name":"Sahid Orentino Ferdjaoui","email":"sahid.ferdjaoui@industrialdiscipline.com","username":"sahid"},{"value":0,"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},{"value":0,"_account_id":1779,"name":"Daniel Berrange","email":"berrange@redhat.com","username":"berrange"}],"values":{" 0":"Default Priority","+1":"Contributor Review Promise","+2":"Core Review Promise"},"description":"","default_value":0,"optional":true}},"removable_reviewers":[],"reviewers":{"REVIEWER":[{"_account_id":3,"name":"Jenkins","username":"jenkins"},{"_account_id":1779,"name":"Daniel Berrange","email":"berrange@redhat.com","username":"berrange"},{"_account_id":2230,"name":"Paul McMillan","email":"paul@mcmillan.ws","username":"paul-mcmillan"},{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},{"_account_id":2750,"name":"Sean Dague","email":"sean@dague.net","username":"sdague"},{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},{"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},{"_account_id":6802,"name":"Joel Coffman","email":"jmc7tp@gmail.com","username":"joel-coffman"},{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},{"_account_id":7677,"name":"Solly Ross","email":"sross@redhat.com","username":"sross"},{"_account_id":7730,"name":"Sahid Orentino Ferdjaoui","email":"sahid.ferdjaoui@industrialdiscipline.com","username":"sahid"},{"_account_id":9008,"name":"VMware NSX CI","username":"vmwareminesweeper","tags":["SERVICE_USER"]},{"_account_id":9311,"name":"Tristan Cacqueray","email":"tdecacqu@redhat.com","username":"tristanC"},{"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},{"_account_id":9578,"name":"DB Datasets CI","email":"turbo-hipster@lists.rcbops.com","username":"turbo-hipster","tags":["SERVICE_USER"]},{"_account_id":10118,"name":"IBM PowerKVM CI","email":"kvmpower@linux.vnet.ibm.com","username":"powerkvm","tags":["SERVICE_USER"]},{"_account_id":10385,"name":"Citrix XenServer CI","username":"citrix_xenserver_ci","tags":["SERVICE_USER"]},{"_account_id":11103,"name":"Intel PCI CI","email":"otc_cloud@163.com","username":"intelotccloud","inactive":true,"tags":["SERVICE_USER"]},{"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},{"_account_id":12898,"name":"Tony Breeds","email":"tony@bakeyournoodle.com","username":"tonyb"}]},"pending_reviewers":{},"reviewer_updates":[{"updated":"2015-03-11 14:40:22.000000000","updated_by":{"_account_id":7730,"name":"Sahid Orentino Ferdjaoui","email":"sahid.ferdjaoui@industrialdiscipline.com","username":"sahid"},"reviewer":{"_account_id":7730,"name":"Sahid Orentino Ferdjaoui","email":"sahid.ferdjaoui@industrialdiscipline.com","username":"sahid"},"state":"REVIEWER"},{"updated":"2015-03-11 14:43:30.000000000","updated_by":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"reviewer":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"state":"REVIEWER"},{"updated":"2015-03-11 14:47:15.000000000","updated_by":{"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},"reviewer":{"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},"state":"REVIEWER"},{"updated":"2015-03-11 14:56:45.000000000","updated_by":{"_account_id":1779,"name":"Daniel Berrange","email":"berrange@redhat.com","username":"berrange"},"reviewer":{"_account_id":1779,"name":"Daniel Berrange","email":"berrange@redhat.com","username":"berrange"},"state":"REVIEWER"},{"updated":"2015-03-11 15:01:08.000000000","updated_by":{"_account_id":7677,"name":"Solly Ross","email":"sross@redhat.com","username":"sross"},"reviewer":{"_account_id":7677,"name":"Solly Ross","email":"sross@redhat.com","username":"sross"},"state":"REVIEWER"},{"updated":"2015-03-11 16:51:05.000000000","updated_by":{"_account_id":6802,"name":"Joel Coffman","email":"jmc7tp@gmail.com","username":"joel-coffman"},"reviewer":{"_account_id":6802,"name":"Joel Coffman","email":"jmc7tp@gmail.com","username":"joel-coffman"},"state":"REVIEWER"},{"updated":"2015-03-11 23:11:36.000000000","updated_by":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"reviewer":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"state":"REVIEWER"},{"updated":"2015-03-12 04:29:40.000000000","updated_by":{"_account_id":11103,"name":"Intel PCI CI","email":"otc_cloud@163.com","username":"intelotccloud","inactive":true,"tags":["SERVICE_USER"]},"reviewer":{"_account_id":11103,"name":"Intel PCI CI","email":"otc_cloud@163.com","username":"intelotccloud","inactive":true,"tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2015-03-12 04:42:45.000000000","updated_by":{"_account_id":10118,"name":"IBM PowerKVM CI","email":"kvmpower@linux.vnet.ibm.com","username":"powerkvm","tags":["SERVICE_USER"]},"reviewer":{"_account_id":10118,"name":"IBM PowerKVM CI","email":"kvmpower@linux.vnet.ibm.com","username":"powerkvm","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2015-03-12 05:22:21.000000000","updated_by":{"_account_id":10385,"name":"Citrix XenServer CI","username":"citrix_xenserver_ci","tags":["SERVICE_USER"]},"reviewer":{"_account_id":10385,"name":"Citrix XenServer CI","username":"citrix_xenserver_ci","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2015-03-12 05:56:55.000000000","updated_by":{"_account_id":12898,"name":"Tony Breeds","email":"tony@bakeyournoodle.com","username":"tonyb"},"reviewer":{"_account_id":12898,"name":"Tony Breeds","email":"tony@bakeyournoodle.com","username":"tonyb"},"state":"REVIEWER"},{"updated":"2015-03-12 10:57:47.000000000","updated_by":{"_account_id":2750,"name":"Sean Dague","email":"sean@dague.net","username":"sdague"},"reviewer":{"_account_id":2750,"name":"Sean Dague","email":"sean@dague.net","username":"sdague"},"state":"REVIEWER"},{"updated":"2015-03-12 12:32:43.000000000","updated_by":{"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},"reviewer":{"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},"state":"REVIEWER"},{"updated":"2015-03-12 13:36:49.000000000","updated_by":{"_account_id":2230,"name":"Paul McMillan","email":"paul@mcmillan.ws","username":"paul-mcmillan"},"reviewer":{"_account_id":2230,"name":"Paul McMillan","email":"paul@mcmillan.ws","username":"paul-mcmillan"},"state":"REVIEWER"},{"updated":"2015-03-12 13:55:22.000000000","updated_by":{"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},"reviewer":{"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},"state":"REVIEWER"},{"updated":"2015-03-12 14:22:58.000000000","updated_by":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"reviewer":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"state":"REVIEWER"},{"updated":"2015-03-12 15:31:08.000000000","updated_by":{"_account_id":3,"name":"Jenkins","username":"jenkins"},"reviewer":{"_account_id":3,"name":"Jenkins","username":"jenkins"},"state":"REVIEWER"},{"updated":"2015-03-12 19:35:22.000000000","updated_by":{"_account_id":9578,"name":"DB Datasets CI","email":"turbo-hipster@lists.rcbops.com","username":"turbo-hipster","tags":["SERVICE_USER"]},"reviewer":{"_account_id":9578,"name":"DB Datasets CI","email":"turbo-hipster@lists.rcbops.com","username":"turbo-hipster","tags":["SERVICE_USER"]},"state":"REVIEWER"},{"updated":"2015-03-17 06:18:37.000000000","updated_by":{"_account_id":9008,"name":"VMware NSX CI","username":"vmwareminesweeper","tags":["SERVICE_USER"]},"reviewer":{"_account_id":9008,"name":"VMware NSX CI","username":"vmwareminesweeper","tags":["SERVICE_USER"]},"state":"REVIEWER"}],"messages":[{"id":"9c8c01d8806faf1d8ca0e432002abdab53de4fcf","author":{"_account_id":9311,"name":"Tristan Cacqueray","email":"tdecacqu@redhat.com","username":"tristanC"},"date":"2015-03-10 15:00:24.000000000","message":"Uploaded patch set 1.","accounts_in_message":[],"_revision_number":1},{"id":"534c9ec8f66d807f8cf576ad5eb200bbe9d88015","author":{"_account_id":9578,"name":"DB Datasets CI","email":"turbo-hipster@lists.rcbops.com","username":"turbo-hipster","tags":["SERVICE_USER"]},"date":"2015-03-10 15:25:37.000000000","message":"Patch Set 1: Verified+1\n\nDatabase migration testing successful.\n\n- real-db-upgrade_nova_mysql_devstack_131007:th-mysql http://www.rcbops.com/turbo_hipster/results/33/163033/1/check/real-db-upgrade_nova_mysql_devstack_131007:th-mysql/21d7c38d17b44e49b0d3a9826adc0f6f/index.html : SUCCESS in 20m 44s\n- real-db-upgrade_nova_mysql_user_001:th-mysql http://www.rcbops.com/turbo_hipster/results/33/163033/1/check/real-db-upgrade_nova_mysql_user_001:th-mysql/849124a7c55c4290a139989dc3ee6fe4/index.html : SUCCESS in 23m 30s\n- real-db-upgrade_nova_percona_devstack_131007:th-percona http://www.rcbops.com/turbo_hipster/results/33/163033/1/check/real-db-upgrade_nova_percona_devstack_131007:th-percona/9ff4f943a5ab45d08e5f1af0eb28ea3d/index.html : SUCCESS in 20m 38s\n- real-db-upgrade_nova_percona_user_001:th-percona http://www.rcbops.com/turbo_hipster/results/33/163033/1/check/real-db-upgrade_nova_percona_user_001:th-percona/121fd3a2198243f98837b934d991ae83/index.html : SUCCESS in 24m 16s\n- real-db-upgrade_nova_mysql_user_002:th-mysql http://www.rcbops.com/turbo_hipster/results/33/163033/1/check/real-db-upgrade_nova_mysql_user_002:th-mysql/64084dd632a44d83b2d6a0d71a0b53cc/index.html : SUCCESS in 20m 42s\n- real-db-upgrade_nova_percona_user_002:th-percona http://www.rcbops.com/turbo_hipster/results/33/163033/1/check/real-db-upgrade_nova_percona_user_002:th-percona/56563f490f3c40f3a547fc66b301d67c/index.html : SUCCESS in 21m 16s\n\nTo recheck, leave \u0027recheck migrations\u0027 as a comment. More information: https://wiki.openstack.org/wiki/ThirdPartySystems/DB_Datasets_CI","accounts_in_message":[],"_revision_number":1},{"id":"0840df6226631ffb9b38031ae0d1f713e4137ac7","author":{"_account_id":10118,"name":"IBM PowerKVM CI","email":"kvmpower@linux.vnet.ibm.com","username":"powerkvm","tags":["SERVICE_USER"]},"date":"2015-03-10 15:30:08.000000000","message":"Patch Set 1:\n\nTesting completed on IBM PowerKVM platform. For rechecking only on the IBM PowerKVM CI, add a review comment with recheck-pkvm. Contact info: kvmpower@linux.vnet.ibm.com. For more information, see https://wiki.openstack.org/wiki/PowerKVM\n\n- check-ibm-tempest-dsvm-full http://dal05.objectstorage.softlayer.net/v1/AUTH_3d8e6ecb-f597-448c-8ec2-164e9f710dd6/pkvmci/163033/1/check-ibm-tempest-dsvm-full/422eda8 : SUCCESS in 29m 16s (non-voting)\n- check-ibm-tempest-dsvm-postgres-full http://dal05.objectstorage.softlayer.net/v1/AUTH_3d8e6ecb-f597-448c-8ec2-164e9f710dd6/pkvmci/163033/1/check-ibm-tempest-dsvm-postgres-full/07b1c50 : SUCCESS in 28m 58s (non-voting)","accounts_in_message":[],"_revision_number":1},{"id":"fd03b44b4f91cb847c92b8cca96638ff467ece8d","author":{"_account_id":10385,"name":"Citrix XenServer CI","username":"citrix_xenserver_ci","tags":["SERVICE_USER"]},"date":"2015-03-10 16:12:52.000000000","message":"Patch Set 1: Verified-1\n\nFailed using XenAPI driver with XenServer 6.2: Logs at http://dd6b71949550285df7dc-dda4e480e005aaa13ec303551d2d8155.r49.cf1.rackcdn.com/33/163033/1/12534/results.html\n\nUse \"xenserver: recheck\" to trigger only xenserver re-check.  XenServer CI contact: openstack@citrix.com.\n\nDebugging suggestions at https://wiki.openstack.org/wiki/Debugging_XenServer_CI_failures","accounts_in_message":[],"_revision_number":1},{"id":"fec9fb3338355b4cfe2f849f19af828ed9ce129b","author":{"_account_id":11103,"name":"Intel PCI CI","email":"otc_cloud@163.com","username":"intelotccloud","inactive":true,"tags":["SERVICE_USER"]},"date":"2015-03-10 16:14:19.000000000","message":"Patch Set 1:\n\nBuild Successful. Logs at http://198.175.100.33/163033/1","accounts_in_message":[],"_revision_number":1},{"id":"d8a7a5d35248bb8bfbc14d5c882c7bbee1d0cda0","author":{"_account_id":3,"name":"Jenkins","username":"jenkins"},"date":"2015-03-10 16:28:35.000000000","message":"Patch Set 1: Verified+1\n\nBuild succeeded (check pipeline).\n\n- gate-nova-pep8 http://logs.openstack.org/33/163033/1/check/gate-nova-pep8/dbd62c2/ : SUCCESS in 8m 19s\n- gate-nova-docs http://docs-draft.openstack.org/33/163033/1/check/gate-nova-docs/9c2b0f1//doc/build/html/ : SUCCESS in 8m 05s\n- gate-nova-python27 http://logs.openstack.org/33/163033/1/check/gate-nova-python27/786f1df/ : SUCCESS in 10m 46s\n- check-tempest-dsvm-full http://logs.openstack.org/33/163033/1/check/check-tempest-dsvm-full/5d94bae/ : SUCCESS in 44m 52s\n- check-tempest-dsvm-postgres-full http://logs.openstack.org/33/163033/1/check/check-tempest-dsvm-postgres-full/313fd44/ : SUCCESS in 43m 30s\n- check-tempest-dsvm-neutron-full http://logs.openstack.org/33/163033/1/check/check-tempest-dsvm-neutron-full/d5787ff/ : SUCCESS in 48m 31s\n- check-grenade-dsvm http://logs.openstack.org/33/163033/1/check/check-grenade-dsvm/390642e/ : SUCCESS in 40m 42s\n- gate-tempest-dsvm-large-ops http://logs.openstack.org/33/163033/1/check/gate-tempest-dsvm-large-ops/2571f81/ : SUCCESS in 21m 54s\n- gate-tempest-dsvm-neutron-large-ops http://logs.openstack.org/33/163033/1/check/gate-tempest-dsvm-neutron-large-ops/096f3ce/ : SUCCESS in 21m 14s\n- check-devstack-dsvm-cells http://logs.openstack.org/33/163033/1/check/check-devstack-dsvm-cells/fa3da85/ : SUCCESS in 25m 28s\n- gate-nova-tox-functional http://logs.openstack.org/33/163033/1/check/gate-nova-tox-functional/ba0e31f/ : SUCCESS in 10m 38s\n- check-grenade-dsvm-partial-ncpu http://logs.openstack.org/33/163033/1/check/check-grenade-dsvm-partial-ncpu/840d793/ : SUCCESS in 39m 00s\n- check-tempest-dsvm-ironic-pxe_ssh http://logs.openstack.org/33/163033/1/check/check-tempest-dsvm-ironic-pxe_ssh/0a6c53e/ : SUCCESS in 42m 45s\n- check-tempest-dsvm-nova-v21-full http://logs.openstack.org/33/163033/1/check/check-tempest-dsvm-nova-v21-full/7467457/ : SUCCESS in 44m 58s\n- check-tempest-dsvm-cells http://logs.openstack.org/33/163033/1/check/check-tempest-dsvm-cells/bcd0f58/ : FAILURE in 34m 59s (non-voting)\n- check-tempest-dsvm-full-ceph http://logs.openstack.org/33/163033/1/check/check-tempest-dsvm-full-ceph/51aebf2/ : SUCCESS in 41m 13s (non-voting)","accounts_in_message":[],"_revision_number":1},{"id":"6cbf316826f572f2e7bfb8f9b26f1b08ceb8c48d","author":{"_account_id":9311,"name":"Tristan Cacqueray","email":"tdecacqu@redhat.com","username":"tristanC"},"date":"2015-03-10 17:44:52.000000000","message":"Patch Set 1:\n\nxenserver: recheck","accounts_in_message":[],"_revision_number":1},{"id":"3caba8b9ef7a308130389eb95c976c259658845d","author":{"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},"date":"2015-03-10 18:17:21.000000000","message":"Patch Set 1: Code-Review+2\n\nAlready reviewed as a security bug in private.  Due to backport constraints this approach was taken as the most effective without modifying RPC apis.","accounts_in_message":[],"_revision_number":1},{"id":"c8de49fdd066e1a558ff0bd48d642caf2d76391b","author":{"_account_id":10385,"name":"Citrix XenServer CI","username":"citrix_xenserver_ci","tags":["SERVICE_USER"]},"date":"2015-03-10 18:47:52.000000000","message":"Patch Set 1: Verified+1\n\nPassed using XenAPI driver with XenServer 6.2: Logs at http://dd6b71949550285df7dc-dda4e480e005aaa13ec303551d2d8155.r49.cf1.rackcdn.com/33/163033/1/12569/results.html\n\nUse \"xenserver: recheck\" to trigger only xenserver re-check.  XenServer CI contact: openstack@citrix.com.\n\nDebugging suggestions at https://wiki.openstack.org/wiki/Debugging_XenServer_CI_failures","accounts_in_message":[],"_revision_number":1},{"id":"a661dd9a080cd538d21087829eb839e42c39d201","author":{"_account_id":12898,"name":"Tony Breeds","email":"tony@bakeyournoodle.com","username":"tonyb"},"date":"2015-03-11 00:31:19.000000000","message":"Patch Set 1: Code-Review+1","accounts_in_message":[],"_revision_number":1},{"id":"f188398e77be315b1893bdb24f8b5d14fc95548c","author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"date":"2015-03-11 14:43:30.000000000","message":"Patch Set 1:\n\n(1 comment)","accounts_in_message":[],"_revision_number":1},{"id":"2b15973f75af0ac129690872f472d0be284d3d0d","author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"date":"2015-03-11 14:46:42.000000000","message":"Patch Set 2: Commit message was updated","accounts_in_message":[],"_revision_number":2},{"id":"63b2892c41819026420f4f46a40e3cf9202095d7","author":{"_account_id":5441,"name":"Andrew Laski","email":"andrew@lascii.com","username":"alaski"},"date":"2015-03-11 14:47:15.000000000","message":"Patch Set 2: Code-Review+2\n\nJust a commit message update","accounts_in_message":[],"_revision_number":2},{"id":"1ba1cc217d94e96510149da2bc1ac0553bcf0cb7","author":{"_account_id":11103,"name":"Intel PCI CI","email":"otc_cloud@163.com","username":"intelotccloud","inactive":true,"tags":["SERVICE_USER"]},"date":"2015-03-11 14:51:33.000000000","message":"Patch Set 2:\n\nBuild Failed. Logs at http://198.175.100.33/163033/2","accounts_in_message":[],"_revision_number":2},{"id":"989c0edc960a1dd6f1503f8bec026485fe3927f3","author":{"_account_id":1779,"name":"Daniel Berrange","email":"berrange@redhat.com","username":"berrange"},"date":"2015-03-11 14:56:45.000000000","message":"Patch Set 2: Code-Review-1\n\n(1 comment)","accounts_in_message":[],"_revision_number":2},{"id":"87c99f60953c80aa57ce21596e60519f89c23482","author":{"_account_id":7677,"name":"Solly Ross","email":"sross@redhat.com","username":"sross"},"date":"2015-03-11 15:01:08.000000000","message":"Patch Set 2: Code-Review-1\n\n(1 comment)\n\nThis looks like it will break access to serial consoles, but otherwise generally looks good.","accounts_in_message":[],"_revision_number":2},{"id":"e41dc6dd3e93f1e608fbd049fd07a82307e26511","author":{"_account_id":9311,"name":"Tristan Cacqueray","email":"tdecacqu@redhat.com","username":"tristanC"},"date":"2015-03-11 15:09:08.000000000","message":"Patch Set 2:\n\n@Dan, well that would be a first to have the CVE number in title... I\u0027m concern about the extra works because patches often get posted before the CVE is assigned... If you really wants the extra information, it\u0027s may be better in the Closes-bug line...\n\n@Solly, can you explain how this would break serial consoles ?","accounts_in_message":[],"_revision_number":2},{"id":"fbd5d36c2f7069a1f1b0fa712bb46a852b3dd1bb","author":{"_account_id":7677,"name":"Solly Ross","email":"sross@redhat.com","username":"sross"},"date":"2015-03-11 15:18:52.000000000","message":"Patch Set 2:\n\nFor one, you\u0027re missing the `if console_type \u003d\u003d \u0027serial\u0027` case, so you\u0027ll just jump directly to the `else` case (which raises an exception).\n\nAdditionally, anyone using a terminal-based client to access the serial console (as was needed before (https://review.openstack.org/#/c/144659/) will probably have issues unless they fake the Origin header (not as big of a deal, but probably worth mentioning).","accounts_in_message":[],"_revision_number":2},{"id":"00aa71566d650c79adb54b061ab1db434ecf6687","author":{"_account_id":10118,"name":"IBM PowerKVM CI","email":"kvmpower@linux.vnet.ibm.com","username":"powerkvm","tags":["SERVICE_USER"]},"date":"2015-03-11 15:20:29.000000000","message":"Patch Set 2:\n\nTesting completed on IBM PowerKVM platform. For rechecking only on the IBM PowerKVM CI, add a review comment with recheck-pkvm. Contact info: kvmpower@linux.vnet.ibm.com. For more information, see https://wiki.openstack.org/wiki/PowerKVM\n\n- check-ibm-tempest-dsvm-full http://dal05.objectstorage.softlayer.net/v1/AUTH_3d8e6ecb-f597-448c-8ec2-164e9f710dd6/pkvmci/163033/2/check-ibm-tempest-dsvm-full/41bb714 : SUCCESS in 27m 01s (non-voting)\n- check-ibm-tempest-dsvm-postgres-full http://dal05.objectstorage.softlayer.net/v1/AUTH_3d8e6ecb-f597-448c-8ec2-164e9f710dd6/pkvmci/163033/2/check-ibm-tempest-dsvm-postgres-full/ebe1364 : SUCCESS in 33m 23s (non-voting)","accounts_in_message":[],"_revision_number":2},{"id":"fe437f5bcbf7110871491ab5666cba8fea63f3b8","author":{"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},"date":"2015-03-11 15:53:23.000000000","message":"Patch Set 2: Code-Review-1\n\nFWIW, I would consider breaking the command line client to be a serious regression.","accounts_in_message":[],"_revision_number":2},{"id":"9a178865cad0f9141a5e5585c1638076add29e2d","author":{"_account_id":7677,"name":"Solly Ross","email":"sross@redhat.com","username":"sross"},"date":"2015-03-11 16:09:01.000000000","message":"Patch Set 2:\n\n@mbooth: just to clarify, I wasn\u0027t referring to the official CLI (`nova get-serial-console` and friends, which just get the appropriate url), but rather something like http://blog.oddbit.com/2014/12/22/accessing-the-serial-console-of-your-nova-servers/.","accounts_in_message":[],"_revision_number":2},{"id":"767f6ca4a58b37258c33123c428de6161342e097","author":{"_account_id":9311,"name":"Tristan Cacqueray","email":"tdecacqu@redhat.com","username":"tristanC"},"date":"2015-03-11 16:09:39.000000000","message":"Patch Set 2:\n\n@Solly Thanks! So apparently serial console is using the websocket proxy since juno right ?\n\nIs someone working on an update ?","accounts_in_message":[],"_revision_number":2},{"id":"3bcd26646c04b7fcc3855b81356cfeff670f2031","author":{"_account_id":10385,"name":"Citrix XenServer CI","username":"citrix_xenserver_ci","tags":["SERVICE_USER"]},"date":"2015-03-11 16:31:05.000000000","message":"Patch Set 2: Verified+1\n\nPassed using XenAPI driver with XenServer 6.2: Logs at http://dd6b71949550285df7dc-dda4e480e005aaa13ec303551d2d8155.r49.cf1.rackcdn.com/33/163033/2/12752/results.html\n\nUse \"xenserver: recheck\" to trigger only xenserver re-check.  XenServer CI contact: openstack@citrix.com.\n\nDebugging suggestions at https://wiki.openstack.org/wiki/Debugging_XenServer_CI_failures","accounts_in_message":[],"_revision_number":2},{"id":"6194f6abcb92fe761714cce537e270b01bc4c90d","author":{"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},"date":"2015-03-11 16:41:19.000000000","message":"Patch Set 2:\n\n(1 comment)","accounts_in_message":[],"_revision_number":2},{"id":"7e4abf005f92d8669c9331661c73a9a78d4061e2","author":{"_account_id":3,"name":"Jenkins","username":"jenkins"},"date":"2015-03-11 16:47:33.000000000","message":"Patch Set 2: Verified+1\n\nBuild succeeded (check pipeline).\n\n- gate-nova-pep8 http://logs.openstack.org/33/163033/2/check/gate-nova-pep8/17d8858/ : SUCCESS in 8m 55s\n- gate-nova-docs http://docs-draft.openstack.org/33/163033/2/check/gate-nova-docs/c77e535//doc/build/html/ : SUCCESS in 8m 15s\n- gate-nova-python27 http://logs.openstack.org/33/163033/2/check/gate-nova-python27/99e847d/ : SUCCESS in 12m 11s\n- check-tempest-dsvm-full http://logs.openstack.org/33/163033/2/check/check-tempest-dsvm-full/e3a9ac4/ : SUCCESS in 48m 33s\n- check-tempest-dsvm-postgres-full http://logs.openstack.org/33/163033/2/check/check-tempest-dsvm-postgres-full/049ecb7/ : SUCCESS in 41m 11s\n- check-tempest-dsvm-neutron-full http://logs.openstack.org/33/163033/2/check/check-tempest-dsvm-neutron-full/dcd5074/ : SUCCESS in 50m 54s\n- check-grenade-dsvm http://logs.openstack.org/33/163033/2/check/check-grenade-dsvm/1508bb7/ : SUCCESS in 45m 45s\n- gate-tempest-dsvm-large-ops http://logs.openstack.org/33/163033/2/check/gate-tempest-dsvm-large-ops/099a3f9/ : SUCCESS in 25m 09s\n- gate-tempest-dsvm-neutron-large-ops http://logs.openstack.org/33/163033/2/check/gate-tempest-dsvm-neutron-large-ops/667b978/ : SUCCESS in 25m 09s\n- check-devstack-dsvm-cells http://logs.openstack.org/33/163033/2/check/check-devstack-dsvm-cells/c8d2570/ : SUCCESS in 22m 25s\n- gate-nova-tox-functional http://logs.openstack.org/33/163033/2/check/gate-nova-tox-functional/65bc439/ : SUCCESS in 11m 14s\n- check-grenade-dsvm-partial-ncpu http://logs.openstack.org/33/163033/2/check/check-grenade-dsvm-partial-ncpu/7cd6ee1/ : SUCCESS in 42m 56s\n- check-tempest-dsvm-ironic-pxe_ssh http://logs.openstack.org/33/163033/2/check/check-tempest-dsvm-ironic-pxe_ssh/ddd4612/ : SUCCESS in 38m 33s\n- check-tempest-dsvm-nova-v21-full http://logs.openstack.org/33/163033/2/check/check-tempest-dsvm-nova-v21-full/435497a/ : SUCCESS in 44m 56s\n- check-tempest-dsvm-cells http://logs.openstack.org/33/163033/2/check/check-tempest-dsvm-cells/f3eac35/ : FAILURE in 32m 49s (non-voting)\n- check-tempest-dsvm-full-ceph http://logs.openstack.org/33/163033/2/check/check-tempest-dsvm-full-ceph/8a2e3aa/ : SUCCESS in 33m 12s (non-voting)","accounts_in_message":[],"_revision_number":2},{"id":"965d32ba01ea6ab3a5fdcf3a6a241c2e9a4d9c00","author":{"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},"date":"2015-03-11 17:06:04.000000000","message":"Patch Set 2:\n\nSo, everything I\u0027ve tested so far, including the novaconsole command line tool, sets Origin correctly. This looks like a non-issue to me. Gracefully handling a request which doesn\u0027t contain Origin, therefore, looks like a nice to have.\n\nHowever, I have confirmed through testing that this patch breaks access to the serial console:\n\n2015-03-11 17:03:49.492 INFO nova.console.websocketproxy [req-07e7bd27-f86c-4735-9860-6d9fa1f8d317 None None] handler exception: Invalid Console Type for WebSocketProxy: \u0027serial\u0027","accounts_in_message":[],"_revision_number":2},{"id":"491a0acebfcb3021cf5e608131903abc2f8b43b6","author":{"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},"date":"2015-03-11 18:49:40.000000000","message":"Patch Set 2:\n\nI\u0027ll update the patch to include serial for Juno and Kilo.  Is this the complete list?  Can someone confirm that there are no other serial types that use the websocket proxy?","accounts_in_message":[],"_revision_number":2},{"id":"172237a2a8666885fa7fd89648db3d7579a52f8e","author":{"_account_id":9311,"name":"Tristan Cacqueray","email":"tdecacqu@redhat.com","username":"tristanC"},"date":"2015-03-11 19:23:29.000000000","message":"Patch Set 2:\n\n@Nova-core, please confirm that there are no other console type...\n\nAccording to https://tools.ietf.org/html/rfc6455#section-10.1, if Origin is missing (e.g. connection coming from an about out-of-browser client) then we could skip the origin test entirely.","accounts_in_message":[],"_revision_number":2},{"id":"3a5d972d2d7137e2e9364535cde9d67e137f712a","author":{"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},"date":"2015-03-11 19:39:44.000000000","message":"Patch Set 2:\n\nWe can construct a list from nova/api/openstack/compute/schemas/v3/remote_consoles.py:\n\nnovnc\nxvpvnc\nspice-html5\nrdp-html5\nserial\n\nThis is also borne out by grepping for \u0027console_type \u003d\u003d \u0027 in nova/compute/manager.py","accounts_in_message":[],"_revision_number":2},{"id":"9f1c82b021633155ecd6bd57b0266c7fac0d4590","author":{"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},"date":"2015-03-11 19:47:44.000000000","message":"Patch Set 2:\n\nAre novnc, spice, and serial the only ones that use websocketproxy?","accounts_in_message":[],"_revision_number":2},{"id":"0a99a1a03ae44148cdf590cc8ab2a777347d89e8","author":{"_account_id":9311,"name":"Tristan Cacqueray","email":"tdecacqu@redhat.com","username":"tristanC"},"date":"2015-03-11 19:54:44.000000000","message":"Patch Set 2:\n\n\"grep -r NovaWebSocketProxy nova/\" only shows vnc, spice and serial","accounts_in_message":[],"_revision_number":2},{"id":"c1385667f9df9af01bd1f4b7965779b0e44aaf7d","author":{"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},"date":"2015-03-11 21:08:21.000000000","message":"Uploaded patch set 3.","accounts_in_message":[],"_revision_number":3},{"id":"24cfcf26984af67d219f15f163ad037ab935f8f9","author":{"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},"date":"2015-03-11 21:13:18.000000000","message":"Patch Set 3:\n\nPatch 3 addresses the above comments.  It\n1) Includes console-type \u0027serial\u0027 with the knowledge that novnc, spice, and serial are the only three types supported by websocketproxy.\n2) Allows for a missing Origin header for non-browser clients, but still rejects a blank Origin header.","accounts_in_message":[],"_revision_number":3},{"id":"a2b35e2f77fbba54abbe182b941dfbd5cfb4ecb9","author":{"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},"date":"2015-03-11 21:16:15.000000000","message":"Uploaded patch set 4.","accounts_in_message":[],"_revision_number":4},{"id":"2225cc68a81a7cf45053be98df6974ea2839f1bc","author":{"_account_id":11103,"name":"Intel PCI CI","email":"otc_cloud@163.com","username":"intelotccloud","inactive":true,"tags":["SERVICE_USER"]},"date":"2015-03-11 21:16:23.000000000","message":"Patch Set 3:\n\nBuild Failed. Logs at http://198.175.100.33/163033/3","accounts_in_message":[],"_revision_number":3},{"id":"61b390cbda2cf9cceba8eff4010c98d5c5eb625b","author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"date":"2015-03-11 21:18:45.000000000","message":"Patch Set 4: Code-Review+1\n\nCode looks okay, but it would be good to make sure it works with the serial client first I think. I also think we could probably use more coverage in the tests, but given the timing of this, we can follow up with that.","accounts_in_message":[],"_revision_number":4},{"id":"8fedad08458dbbbce7016d93a76e5c74bb3bbb9f","author":{"_account_id":11103,"name":"Intel PCI CI","email":"otc_cloud@163.com","username":"intelotccloud","inactive":true,"tags":["SERVICE_USER"]},"date":"2015-03-11 21:44:21.000000000","message":"Patch Set 4:\n\nBuild Successful. Logs at http://198.175.100.33/163033/4","accounts_in_message":[],"_revision_number":4},{"id":"83b40e899110c6deb59764afa0018a0d7cf24c2d","author":{"_account_id":10118,"name":"IBM PowerKVM CI","email":"kvmpower@linux.vnet.ibm.com","username":"powerkvm","tags":["SERVICE_USER"]},"date":"2015-03-11 21:52:58.000000000","message":"Patch Set 4:\n\nTesting completed on IBM PowerKVM platform. For rechecking only on the IBM PowerKVM CI, add a review comment with recheck-pkvm. Contact info: kvmpower@linux.vnet.ibm.com. For more information, see https://wiki.openstack.org/wiki/PowerKVM\n\n- check-ibm-tempest-dsvm-full http://dal05.objectstorage.softlayer.net/v1/AUTH_3d8e6ecb-f597-448c-8ec2-164e9f710dd6/pkvmci/163033/4/check-ibm-tempest-dsvm-full/46770a0 : SUCCESS in 35m 47s (non-voting)\n- check-ibm-tempest-dsvm-postgres-full http://dal05.objectstorage.softlayer.net/v1/AUTH_3d8e6ecb-f597-448c-8ec2-164e9f710dd6/pkvmci/163033/4/check-ibm-tempest-dsvm-postgres-full/2d95705 : SUCCESS in 30m 00s (non-voting)","accounts_in_message":[],"_revision_number":4},{"id":"e6950f7a5f9f0c706943c3946df1c1ff12182f49","author":{"_account_id":10385,"name":"Citrix XenServer CI","username":"citrix_xenserver_ci","tags":["SERVICE_USER"]},"date":"2015-03-11 22:34:33.000000000","message":"Patch Set 4: Verified+1\n\nPassed using XenAPI driver with XenServer 6.2: Logs at http://dd6b71949550285df7dc-dda4e480e005aaa13ec303551d2d8155.r49.cf1.rackcdn.com/33/163033/4/12811/results.html\n\nUse \"xenserver: recheck\" to trigger only xenserver re-check.  XenServer CI contact: openstack@citrix.com.\n\nDebugging suggestions at https://wiki.openstack.org/wiki/Debugging_XenServer_CI_failures","accounts_in_message":[],"_revision_number":4},{"id":"41b2e8e6bb136f659f8e9fc9647879d685602067","author":{"_account_id":2271,"name":"Michael Still","email":"mikal@stillhq.com","username":"mikalstill"},"date":"2015-03-11 23:11:36.000000000","message":"Patch Set 4: Code-Review+2\n\nGiven the background of this bug I am ok with this merging.","accounts_in_message":[],"_revision_number":4},{"id":"d273c4f15fe6b0e450a8dc5c5f2491a4341174d2","author":{"_account_id":3,"name":"Jenkins","username":"jenkins"},"date":"2015-03-11 23:24:15.000000000","message":"Patch Set 4: Verified+1\n\nBuild succeeded (check pipeline).\n\n- gate-nova-pep8 http://logs.openstack.org/33/163033/4/check/gate-nova-pep8/61cea0a/ : SUCCESS in 8m 40s\n- gate-nova-docs http://docs-draft.openstack.org/33/163033/4/check/gate-nova-docs/96b45ba//doc/build/html/ : SUCCESS in 9m 43s\n- gate-nova-python27 http://logs.openstack.org/33/163033/4/check/gate-nova-python27/0cda049/ : SUCCESS in 12m 17s\n- check-tempest-dsvm-full http://logs.openstack.org/33/163033/4/check/check-tempest-dsvm-full/e18313a/ : SUCCESS in 47m 13s\n- check-tempest-dsvm-postgres-full http://logs.openstack.org/33/163033/4/check/check-tempest-dsvm-postgres-full/45be690/ : SUCCESS in 39m 51s\n- check-tempest-dsvm-neutron-full http://logs.openstack.org/33/163033/4/check/check-tempest-dsvm-neutron-full/2f55890/ : SUCCESS in 50m 14s\n- check-grenade-dsvm http://logs.openstack.org/33/163033/4/check/check-grenade-dsvm/01c0b11/ : SUCCESS in 40m 39s\n- gate-tempest-dsvm-large-ops http://logs.openstack.org/33/163033/4/check/gate-tempest-dsvm-large-ops/2bf7d5d/ : SUCCESS in 28m 39s\n- gate-tempest-dsvm-neutron-large-ops http://logs.openstack.org/33/163033/4/check/gate-tempest-dsvm-neutron-large-ops/4fbfadf/ : SUCCESS in 21m 04s\n- check-devstack-dsvm-cells http://logs.openstack.org/33/163033/4/check/check-devstack-dsvm-cells/e3ed96b/ : SUCCESS in 19m 33s\n- gate-nova-tox-functional http://logs.openstack.org/33/163033/4/check/gate-nova-tox-functional/8befec6/ : SUCCESS in 11m 39s\n- check-grenade-dsvm-partial-ncpu http://logs.openstack.org/33/163033/4/check/check-grenade-dsvm-partial-ncpu/e2e5789/ : SUCCESS in 43m 43s\n- check-tempest-dsvm-ironic-pxe_ssh http://logs.openstack.org/33/163033/4/check/check-tempest-dsvm-ironic-pxe_ssh/97cf873/ : SUCCESS in 44m 20s\n- check-tempest-dsvm-nova-v21-full http://logs.openstack.org/33/163033/4/check/check-tempest-dsvm-nova-v21-full/a685985/ : SUCCESS in 40m 17s\n- check-tempest-dsvm-cells http://logs.openstack.org/33/163033/4/check/check-tempest-dsvm-cells/f9634a7/ : FAILURE in 34m 21s (non-voting)\n- check-tempest-dsvm-full-ceph http://logs.openstack.org/33/163033/4/check/check-tempest-dsvm-full-ceph/eea7a4c/ : SUCCESS in 37m 07s (non-voting)","accounts_in_message":[],"_revision_number":4},{"id":"ff0878d08e2dae67a41eb755d3f45b884f8b917c","author":{"_account_id":12898,"name":"Tony Breeds","email":"tony@bakeyournoodle.com","username":"tonyb"},"date":"2015-03-12 02:39:16.000000000","message":"Patch Set 4: Code-Review-1\n\nFirstly I apologise upfront I should have caught this sooner.\n\nPatchset 2 still breaks serial console:\n\nAfter following\nhttp://docs.openstack.org/developer/nova/devref/testing/serial-console.html\nI hist the \"Origin header does not match this host.\" case because:\nexpected_origin_netloc \u003d 127.0.0.1\norigin_netloc \u003d 127.0.0.1:6083\n\nAs port is an optional  portion of the Host header I don\u0027t think we have any choice but to disregard it if it is not present in *both* Host and Origin headers.","accounts_in_message":[],"_revision_number":4},{"id":"87e1ff75bc551560407af0cf803c81a9ee9aadcb","author":{"_account_id":12898,"name":"Tony Breeds","email":"tony@bakeyournoodle.com","username":"tonyb"},"date":"2015-03-12 02:40:58.000000000","message":"Uploaded patch set 5.","accounts_in_message":[],"_revision_number":5},{"id":"ae81040eb6b17a418eadef15cab4eca4c4ec7c67","author":{"_account_id":12898,"name":"Tony Breeds","email":"tony@bakeyournoodle.com","username":"tonyb"},"date":"2015-03-12 02:42:49.000000000","message":"Patch Set 5:\n\nWith patchset 5 serial console works when setup as per:\nhttp://docs.openstack.org/developer/nova/devref/testing/serial-console.html","accounts_in_message":[],"_revision_number":5},{"id":"ddaa9841218581e5180479d5e2aa1a83b54da603","author":{"_account_id":11103,"name":"Intel PCI CI","email":"otc_cloud@163.com","username":"intelotccloud","inactive":true,"tags":["SERVICE_USER"]},"date":"2015-03-12 03:09:14.000000000","message":"Patch Set 5:\n\nBuild Successful. Logs at http://198.175.100.33/163033/5","accounts_in_message":[],"_revision_number":5},{"id":"cbea69ca1243ca98ec9de34a6cf321da70e09f4b","author":{"_account_id":10118,"name":"IBM PowerKVM CI","email":"kvmpower@linux.vnet.ibm.com","username":"powerkvm","tags":["SERVICE_USER"]},"date":"2015-03-12 03:13:21.000000000","message":"Patch Set 5:\n\nTesting completed on IBM PowerKVM platform. For rechecking only on the IBM PowerKVM CI, add a review comment with recheck-pkvm. Contact info: kvmpower@linux.vnet.ibm.com. For more information, see https://wiki.openstack.org/wiki/PowerKVM\n\n- check-ibm-tempest-dsvm-full http://dal05.objectstorage.softlayer.net/v1/AUTH_3d8e6ecb-f597-448c-8ec2-164e9f710dd6/pkvmci/163033/5/check-ibm-tempest-dsvm-full/9faf805 : SUCCESS in 32m 01s (non-voting)\n- check-ibm-tempest-dsvm-postgres-full http://dal05.objectstorage.softlayer.net/v1/AUTH_3d8e6ecb-f597-448c-8ec2-164e9f710dd6/pkvmci/163033/5/check-ibm-tempest-dsvm-postgres-full/4ac8977 : SUCCESS in 30m 32s (non-voting)","accounts_in_message":[],"_revision_number":5},{"id":"9d543257c65950717e42bf793d4b8e2d2803deb7","author":{"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},"date":"2015-03-12 03:25:13.000000000","message":"Patch Set 5:\n\nThanks Tony, for the extra testing and the patch.\nTo keep it simple, what do you think about just comparing hostnames instead of netlocs, thus always ignoring port.  That closes the security hole, and keeps the code simpler.","accounts_in_message":[],"_revision_number":5},{"id":"8374405be66c9bfd26c96898c9f078309a68e4bc","author":{"_account_id":10385,"name":"Citrix XenServer CI","username":"citrix_xenserver_ci","tags":["SERVICE_USER"]},"date":"2015-03-12 03:41:20.000000000","message":"Patch Set 5: Verified+1\n\nPassed using XenAPI driver with XenServer 6.2: Logs at http://dd6b71949550285df7dc-dda4e480e005aaa13ec303551d2d8155.r49.cf1.rackcdn.com/33/163033/5/12848/results.html\n\nUse \"xenserver: recheck\" to trigger only xenserver re-check.  XenServer CI contact: openstack@citrix.com.\n\nDebugging suggestions at https://wiki.openstack.org/wiki/Debugging_XenServer_CI_failures","accounts_in_message":[],"_revision_number":5},{"id":"6515d481292a84895c5c68fe65a07106871a271f","author":{"_account_id":3,"name":"Jenkins","username":"jenkins"},"date":"2015-03-12 03:42:00.000000000","message":"Patch Set 5: Verified+1\n\nBuild succeeded (check pipeline).\n\n- gate-nova-pep8 http://logs.openstack.org/33/163033/5/check/gate-nova-pep8/b3fcd03/ : SUCCESS in 7m 42s\n- gate-nova-docs http://docs-draft.openstack.org/33/163033/5/check/gate-nova-docs/08a7eca//doc/build/html/ : SUCCESS in 7m 37s\n- gate-nova-python27 http://logs.openstack.org/33/163033/5/check/gate-nova-python27/51cb661/ : SUCCESS in 15m 05s\n- check-tempest-dsvm-full http://logs.openstack.org/33/163033/5/check/check-tempest-dsvm-full/589b372/ : SUCCESS in 44m 57s\n- check-tempest-dsvm-postgres-full http://logs.openstack.org/33/163033/5/check/check-tempest-dsvm-postgres-full/4f70496/ : SUCCESS in 46m 03s\n- check-tempest-dsvm-neutron-full http://logs.openstack.org/33/163033/5/check/check-tempest-dsvm-neutron-full/c6e9fbf/ : SUCCESS in 56m 56s\n- check-grenade-dsvm http://logs.openstack.org/33/163033/5/check/check-grenade-dsvm/487e223/ : SUCCESS in 44m 18s\n- gate-tempest-dsvm-large-ops http://logs.openstack.org/33/163033/5/check/gate-tempest-dsvm-large-ops/e837ae1/ : SUCCESS in 28m 12s\n- gate-tempest-dsvm-neutron-large-ops http://logs.openstack.org/33/163033/5/check/gate-tempest-dsvm-neutron-large-ops/0bdd03b/ : SUCCESS in 25m 56s\n- check-devstack-dsvm-cells http://logs.openstack.org/33/163033/5/check/check-devstack-dsvm-cells/763ce42/ : SUCCESS in 22m 30s\n- gate-nova-tox-functional http://logs.openstack.org/33/163033/5/check/gate-nova-tox-functional/9aabb9a/ : SUCCESS in 12m 05s\n- check-grenade-dsvm-partial-ncpu http://logs.openstack.org/33/163033/5/check/check-grenade-dsvm-partial-ncpu/41922f8/ : SUCCESS in 43m 07s\n- check-tempest-dsvm-ironic-pxe_ssh http://logs.openstack.org/33/163033/5/check/check-tempest-dsvm-ironic-pxe_ssh/7af7068/ : SUCCESS in 39m 32s\n- check-tempest-dsvm-nova-v21-full http://logs.openstack.org/33/163033/5/check/check-tempest-dsvm-nova-v21-full/2b80507/ : SUCCESS in 40m 28s\n- check-tempest-dsvm-cells http://logs.openstack.org/33/163033/5/check/check-tempest-dsvm-cells/80aeea5/ : FAILURE in 36m 10s (non-voting)\n- check-tempest-dsvm-full-ceph http://logs.openstack.org/33/163033/5/check/check-tempest-dsvm-full-ceph/f77a6a3/ : SUCCESS in 33m 13s (non-voting)","accounts_in_message":[],"_revision_number":5},{"id":"68ccf85e6ba1014ed4023071511e740fd9b07721","author":{"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},"date":"2015-03-12 04:08:46.000000000","message":"Uploaded patch set 6.","accounts_in_message":[],"_revision_number":6},{"id":"a19d2264ef65e2452c9bb0839a79bcc84d550bd1","author":{"_account_id":11103,"name":"Intel PCI CI","email":"otc_cloud@163.com","username":"intelotccloud","inactive":true,"tags":["SERVICE_USER"]},"date":"2015-03-12 04:29:40.000000000","message":"Patch Set 6:\n\nBuild Successful. Logs at http://198.175.100.33/163033/6","accounts_in_message":[],"_revision_number":6},{"id":"9cf36c2d739e66f57b4ab93cda408a4750a5d1ea","author":{"_account_id":10118,"name":"IBM PowerKVM CI","email":"kvmpower@linux.vnet.ibm.com","username":"powerkvm","tags":["SERVICE_USER"]},"date":"2015-03-12 04:42:45.000000000","message":"Patch Set 6:\n\nTesting completed on IBM PowerKVM platform. For rechecking only on the IBM PowerKVM CI, add a review comment with recheck-pkvm. Contact info: kvmpower@linux.vnet.ibm.com. For more information, see https://wiki.openstack.org/wiki/PowerKVM\n\n- check-ibm-tempest-dsvm-full http://dal05.objectstorage.softlayer.net/v1/AUTH_3d8e6ecb-f597-448c-8ec2-164e9f710dd6/pkvmci/163033/6/check-ibm-tempest-dsvm-full/aef3735 : SUCCESS in 32m 14s (non-voting)\n- check-ibm-tempest-dsvm-postgres-full http://dal05.objectstorage.softlayer.net/v1/AUTH_3d8e6ecb-f597-448c-8ec2-164e9f710dd6/pkvmci/163033/6/check-ibm-tempest-dsvm-postgres-full/c4732fa : SUCCESS in 32m 45s (non-voting)","accounts_in_message":[],"_revision_number":6},{"id":"0109366c6e88055d5238b0055cf6f36673f99078","author":{"_account_id":3,"name":"Jenkins","username":"jenkins"},"date":"2015-03-12 05:03:43.000000000","message":"Patch Set 6: Verified+1\n\nBuild succeeded (check pipeline).\n\n- gate-nova-pep8 http://logs.openstack.org/33/163033/6/check/gate-nova-pep8/c3e1130/ : SUCCESS in 10m 47s\n- gate-nova-docs http://docs-draft.openstack.org/33/163033/6/check/gate-nova-docs/fd7f9e9//doc/build/html/ : SUCCESS in 8m 56s\n- gate-nova-python27 http://logs.openstack.org/33/163033/6/check/gate-nova-python27/06f2e8e/ : SUCCESS in 14m 21s\n- check-tempest-dsvm-full http://logs.openstack.org/33/163033/6/check/check-tempest-dsvm-full/3b44242/ : SUCCESS in 42m 34s\n- check-tempest-dsvm-postgres-full http://logs.openstack.org/33/163033/6/check/check-tempest-dsvm-postgres-full/fc15ce3/ : SUCCESS in 44m 09s\n- check-tempest-dsvm-neutron-full http://logs.openstack.org/33/163033/6/check/check-tempest-dsvm-neutron-full/ad1b2e8/ : SUCCESS in 48m 46s\n- check-grenade-dsvm http://logs.openstack.org/33/163033/6/check/check-grenade-dsvm/ad961d1/ : SUCCESS in 41m 38s\n- gate-tempest-dsvm-large-ops http://logs.openstack.org/33/163033/6/check/gate-tempest-dsvm-large-ops/f4ff7a5/ : SUCCESS in 29m 05s\n- gate-tempest-dsvm-neutron-large-ops http://logs.openstack.org/33/163033/6/check/gate-tempest-dsvm-neutron-large-ops/adffb02/ : SUCCESS in 21m 32s\n- check-devstack-dsvm-cells http://logs.openstack.org/33/163033/6/check/check-devstack-dsvm-cells/c9fda94/ : SUCCESS in 21m 20s\n- gate-nova-tox-functional http://logs.openstack.org/33/163033/6/check/gate-nova-tox-functional/878354f/ : SUCCESS in 11m 41s\n- check-grenade-dsvm-partial-ncpu http://logs.openstack.org/33/163033/6/check/check-grenade-dsvm-partial-ncpu/c4417cf/ : SUCCESS in 39m 30s\n- check-tempest-dsvm-ironic-pxe_ssh http://logs.openstack.org/33/163033/6/check/check-tempest-dsvm-ironic-pxe_ssh/09e8a43/ : SUCCESS in 33m 52s\n- check-tempest-dsvm-nova-v21-full http://logs.openstack.org/33/163033/6/check/check-tempest-dsvm-nova-v21-full/e6d2300/ : SUCCESS in 43m 44s\n- check-tempest-dsvm-cells http://logs.openstack.org/33/163033/6/check/check-tempest-dsvm-cells/fe1f109/ : FAILURE in 30m 16s (non-voting)\n- check-tempest-dsvm-full-ceph http://logs.openstack.org/33/163033/6/check/check-tempest-dsvm-full-ceph/ef43c20/ : SUCCESS in 38m 54s (non-voting)","accounts_in_message":[],"_revision_number":6},{"id":"5d819ace453f834df3f91b881db0af76debadafc","author":{"_account_id":10385,"name":"Citrix XenServer CI","username":"citrix_xenserver_ci","tags":["SERVICE_USER"]},"date":"2015-03-12 05:22:21.000000000","message":"Patch Set 6: Verified-1\n\nFailed using XenAPI driver with XenServer 6.2: Logs at http://dd6b71949550285df7dc-dda4e480e005aaa13ec303551d2d8155.r49.cf1.rackcdn.com/33/163033/6/12853/results.html\n\nUse \"xenserver: recheck\" to trigger only xenserver re-check.  XenServer CI contact: openstack@citrix.com.\n\nDebugging suggestions at https://wiki.openstack.org/wiki/Debugging_XenServer_CI_failures","accounts_in_message":[],"_revision_number":6},{"id":"682aec49eea219855fdd9317f8f10de8a312fc8b","author":{"_account_id":12898,"name":"Tony Breeds","email":"tony@bakeyournoodle.com","username":"tonyb"},"date":"2015-03-12 05:56:55.000000000","message":"Patch Set 6: Code-Review+1\n\nI\u0027m fine with the host only check.\n\nserial consoles work with patchset 6\n\nThanks Dave!","accounts_in_message":[],"_revision_number":6},{"id":"55932b5b2a07fdfdce7985c9482ed292c2643aee","author":{"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},"date":"2015-03-12 10:22:07.000000000","message":"Patch Set 6: Code-Review-1\n\nI\u0027ve left my full stream of consciousness below, but TL;DR I don\u0027t think this is a bug at all, and we don\u0027t need to check Origin here.\n---\nHaving given this some thought, I don\u0027t think it\u0027s ok to ignore the port. Here\u0027s my reasoning:\n\nAn attacker discovers a vulnerability in service X (e.g. Horizon), which is running on the same server as n-sproxy. They use this to inject some javascript into a web page on service X which connects to the serial console of an instance. The Origin header of that request will be \u003cX host\u003e:\u003cX port\u003e. \u003cX host\u003e is the same as \u003cn-sproxy host\u003e. Only the ports differ. If we don\u0027t check the port we can\u0027t distinguish this attack. Incidentally, I suspect that if this was going to exploited, this is one of the most likely vehicles for it, so I\u0027d rate it important.\n\nI\u0027m also pretty sure it\u0027s a vulnerability to be using the Host header at all:\n\nAn attacker entirely controls attacker.example.com. They configure a bouncer on attacker.example.com:6083 which masquerades traffic to n-sproxy.example.org:6083. They add some javascript to a page on attacker.example.com which connects to attacker.example.com:6083. Host in this request is attacker.example.com. Origin is attacker.example.com. These match, so we pass Origin validation. There may be other controls, but we have circumvented this one.\n\nLooking at other implementations, it seems it\u0027s normal to accept one of several valid Origins. If we\u0027re going to validate Origin, I think that list is:\n\nlocalhost:proxyport\nexternalurl:proxyport\n\nHowever, the thought process above has made me realise that this probably isn\u0027t a bug at all, and that validating Origin serves no purpose here. The reason is that a CSRF exploits an authenticated user agent. However, in this case the user agent isn\u0027t authenticated, because the authentication is embedded in a token in the URL itself. That is, if an attacker was able to construct a URL to deliver via a CSRF, they can just connect to it themselves, because they already have the authentication token.","accounts_in_message":[],"_revision_number":6},{"id":"5f129f9ec9ef31877084924c029fd07c5f5a12f6","author":{"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},"date":"2015-03-12 10:32:05.000000000","message":"Patch Set 6:\n\nOk, scratch the above because NoVNC puts the token in a cookie for subsequent use, which makes this exploitable without the token if the user has previously visited the URL.\n\nHowever, the points on Origin and Host, and validating the port number remain valid.","accounts_in_message":[],"_revision_number":6},{"id":"b3565573f3b3de0b7b53534746ec5189fb9820f0","author":{"_account_id":2750,"name":"Sean Dague","email":"sean@dague.net","username":"sdague"},"date":"2015-03-12 10:57:47.000000000","message":"Patch Set 6: Code-Review+2","accounts_in_message":[],"_revision_number":6},{"id":"3a62fe4a382abf31a4f6f24b29ee6e43d72c9c0c","author":{"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},"date":"2015-03-12 11:09:42.000000000","message":"Patch Set 6:\n\nJust read the whole bug (would have been good to have done that first :/). The Host thing has been covered there, but am I missing something:\n\nIf coming from a browser, this websocket request is going to have an Origin of the proxy server, because that\u0027s what served the containing html. The connection URL for the proxy server originated from a get-vnc-console call, which means that Nova knows exactly what it expects it to be. If the network environment is configured such that the user has to connect to something other than what was returned by get-vnc-console, then something somewhere also has to be rewriting that URL before delivering it to the user\u0027s browser. Do we do that? If not, I think we can safely assume we know what the Origin header is supposed to be.","accounts_in_message":[],"_revision_number":6},{"id":"da8cf9100d8255c2bae4b21f672987b7fecd78f5","author":{"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},"date":"2015-03-12 12:32:43.000000000","message":"Patch Set 6:\n\nThanks Matthew.\n\nI think your suggestion is to change the verify check to make sure the Origin header matches the get-vnc-console url.  That had crossed my mind, but two issues made me decide to compare against the Host header instead.  1) I was afraid there might be a valid situation I couldn\u0027t predict where a user (or user\u0027s network) changed the hostname.  2) The complete URL is known by nova-compute process, but not passed to websocketproxy process.  I wrote an early patch that used RPC to pass the URL, but we decided to avoid modifying the RPC API for this bug.  This was mostly so the patch could be backported to stable branches.\n\nHopefully the current patch does a good job simulating a same-origin policy, while relying on TLS to avoid a man-in-the-middle modifying headers in flight.","accounts_in_message":[],"_revision_number":6},{"id":"ce53b780f7444341e43b6e83448c7007cbf41af3","author":{"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},"date":"2015-03-12 13:26:24.000000000","message":"Patch Set 6:\n\nIn Horizon, I can open a console and click \"Click here to show only console\".  I can modify the URL from that window to point to either my host\u0027s DNS name or IP address.  In both cases the Origin and Host headers become either the DNS name or the IP address (and match).  If we compare Origin against the get-vnc-console URL or the base_url, then we\u0027ll break that use case.","accounts_in_message":[],"_revision_number":6},{"id":"485f6e9189e747dd89e271bf16e238f83149079c","author":{"_account_id":9311,"name":"Tristan Cacqueray","email":"tdecacqu@redhat.com","username":"tristanC"},"date":"2015-03-12 13:42:19.000000000","message":"Patch Set 6:\n\nAfaik the port check is not relevant... This patch is mostly effective if origin is ssl protected, thus port numbers does not seems to matter to validate origin (as any used port would still need to validate server certificate).\n\n@Paul McMillan, can you please review the last proposed patch ?","accounts_in_message":[],"_revision_number":6},{"id":"254758620051bf3a5555c91e409dd97d2089594d","author":{"_account_id":9555,"name":"Matthew Booth","email":"mbooth@redhat.com","username":"MatthewBooth"},"date":"2015-03-12 13:55:22.000000000","message":"Patch Set 6: Code-Review+1\n\n@Dave, the URL is known because we already use it to get the scheme: it comes from the config, which we have access to.\n\n@Tristan, the port check is relevant because it protects against a CSRF from another web service (e.g. Horizon) running on the same host. Note that this doesn\u0027t require a full compromise of the target web service, just the ability to cause it to serve attacker-provided content, e.g. from an unescaped field.\n\nI think both of these things are addressable and should be addressed. However, I\u0027m changing my vote to a +1 because I appreciate that this patch in its current form will prevent CSRF from a remote site.","accounts_in_message":[],"_revision_number":6},{"id":"78aa1cf84f99e987f2a4ec382fe7f07b4a7752a2","author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"date":"2015-03-12 14:22:58.000000000","message":"Patch Set 6: Code-Review+2 Workflow+1","accounts_in_message":[],"_revision_number":6},{"id":"699c4cd5a0665eebcc0a6945a077d25718594f54","author":{"_account_id":3,"name":"Jenkins","username":"jenkins"},"date":"2015-03-12 14:23:01.000000000","message":"Patch Set 6: -Verified\n\nStarting gate jobs.\nhttp://status.openstack.org/zuul/","accounts_in_message":[],"_revision_number":6},{"id":"a350a615f148a879bdf6a1a5dfca45bdd7a1198e","author":{"_account_id":3,"name":"Jenkins","username":"jenkins"},"date":"2015-03-12 15:31:08.000000000","message":"Patch Set 6: Verified+2\n\nBuild succeeded (gate pipeline).\n\n- gate-nova-docs http://docs-draft.openstack.org/33/163033/6/gate/gate-nova-docs/0ca9711//doc/build/html/ : SUCCESS in 8m 02s\n- gate-nova-pep8 http://logs.openstack.org/33/163033/6/gate/gate-nova-pep8/e921e00/ : SUCCESS in 7m 55s\n- gate-nova-python27 http://logs.openstack.org/33/163033/6/gate/gate-nova-python27/9d0fe28/ : SUCCESS in 13m 02s\n- gate-tempest-dsvm-full http://logs.openstack.org/33/163033/6/gate/gate-tempest-dsvm-full/80ad045/ : SUCCESS in 42m 23s\n- gate-tempest-dsvm-postgres-full http://logs.openstack.org/33/163033/6/gate/gate-tempest-dsvm-postgres-full/32f1d8e/ : SUCCESS in 35m 47s\n- gate-tempest-dsvm-neutron-full http://logs.openstack.org/33/163033/6/gate/gate-tempest-dsvm-neutron-full/1c08aca/ : SUCCESS in 58m 47s\n- gate-grenade-dsvm http://logs.openstack.org/33/163033/6/gate/gate-grenade-dsvm/659abc4/ : SUCCESS in 1h 00m 39s\n- gate-tempest-dsvm-large-ops http://logs.openstack.org/33/163033/6/gate/gate-tempest-dsvm-large-ops/c3e4699/ : SUCCESS in 24m 03s\n- gate-tempest-dsvm-neutron-large-ops http://logs.openstack.org/33/163033/6/gate/gate-tempest-dsvm-neutron-large-ops/d252bdc/ : SUCCESS in 25m 06s\n- gate-nova-tox-functional http://logs.openstack.org/33/163033/6/gate/gate-nova-tox-functional/7abba92/ : SUCCESS in 11m 14s\n- gate-devstack-dsvm-cells http://logs.openstack.org/33/163033/6/gate/gate-devstack-dsvm-cells/da8af1c/ : SUCCESS in 20m 00s\n- gate-grenade-dsvm-partial-ncpu http://logs.openstack.org/33/163033/6/gate/gate-grenade-dsvm-partial-ncpu/4576d78/ : SUCCESS in 39m 47s\n- gate-tempest-dsvm-nova-v21-full http://logs.openstack.org/33/163033/6/gate/gate-tempest-dsvm-nova-v21-full/8c59e43/ : SUCCESS in 52m 06s","accounts_in_message":[],"_revision_number":6},{"id":"c9eb9df1e7018eb36bde94d3b90f34e08ae2be1a","author":{"_account_id":3,"name":"Jenkins","username":"jenkins"},"date":"2015-03-12 15:31:11.000000000","message":"Change has been successfully merged into the git repository.","accounts_in_message":[],"_revision_number":6},{"id":"0a289797b110b551d753a203b648a22f6e58e9e2","author":{"_account_id":2230,"name":"Paul McMillan","email":"paul@mcmillan.ws","username":"paul-mcmillan"},"date":"2015-03-12 18:39:01.000000000","message":"Patch Set 6:\n\nAs Matthew Booth said, dropping the port requirement relaxes the security properties some, but on the balance the patch as proposed and merged looks good to me.","accounts_in_message":[],"_revision_number":6},{"id":"9177d7b1bc56f5906a6d224bb94eb9fd736eeb07","author":{"_account_id":9578,"name":"DB Datasets CI","email":"turbo-hipster@lists.rcbops.com","username":"turbo-hipster","tags":["SERVICE_USER"]},"date":"2015-03-12 19:35:22.000000000","message":"Patch Set 6:\n\nDatabase migration testing successful.\n\n- real-db-upgrade_nova_mysql_devstack_131007:th-mysql http://www.rcbops.com/turbo_hipster/results/33/163033/6/check/real-db-upgrade_nova_mysql_devstack_131007:th-mysql/ea2de6cf6f904f92bc21bf1b0f9d2737/index.html : SUCCESS in 16m 34s\n- real-db-upgrade_nova_mysql_user_001:th-mysql http://www.rcbops.com/turbo_hipster/results/33/163033/6/check/real-db-upgrade_nova_mysql_user_001:th-mysql/af28f11552044890b455f578426b994d/index.html : SUCCESS in 23m 40s\n- real-db-upgrade_nova_percona_devstack_131007:th-percona http://www.rcbops.com/turbo_hipster/results/33/163033/6/check/real-db-upgrade_nova_percona_devstack_131007:th-percona/54c76ab8579b4e84a980d346dbf00c00/index.html : SUCCESS in 20m 42s\n- real-db-upgrade_nova_percona_user_001:th-percona http://www.rcbops.com/turbo_hipster/results/33/163033/6/check/real-db-upgrade_nova_percona_user_001:th-percona/cf5f1a78e5a544e19736fd28f631d13a/index.html : SUCCESS in 23m 49s\n- real-db-upgrade_nova_mysql_user_002:th-mysql http://www.rcbops.com/turbo_hipster/results/33/163033/6/check/real-db-upgrade_nova_mysql_user_002:th-mysql/faf45c9428f9482ebd9c25f571f97cf6/index.html : SUCCESS in 18m 14s\n- real-db-upgrade_nova_percona_user_002:th-percona http://www.rcbops.com/turbo_hipster/results/33/163033/6/check/real-db-upgrade_nova_percona_user_002:th-percona/7eda2c61d32642e6ab7b9a7a27c0b364/index.html : SUCCESS in 17m 20s\n\nTo recheck, leave \u0027recheck migrations\u0027 as a comment. More information: https://wiki.openstack.org/wiki/ThirdPartySystems/DB_Datasets_CI","accounts_in_message":[],"_revision_number":6},{"id":"e07a538059d409eadbf929e76b21742785231e7b","author":{"_account_id":9008,"name":"VMware NSX CI","username":"vmwareminesweeper","tags":["SERVICE_USER"]},"date":"2015-03-13 01:16:38.000000000","message":"Patch Set 2:\n\nBuild successful. Logs: http://208.91.1.172/logs/163033/2","accounts_in_message":[],"_revision_number":2},{"id":"f8ddce860c7fa40bdb7d8b3701fc9ff4f5609370","author":{"_account_id":9008,"name":"VMware NSX CI","username":"vmwareminesweeper","tags":["SERVICE_USER"]},"date":"2015-03-13 06:30:00.000000000","message":"Patch Set 3:\n\nBuild successful. Logs: http://208.91.1.172/logs/163033/3","accounts_in_message":[],"_revision_number":3},{"id":"91c37a404d2ccccd7ca5290c1838290d78fbef00","author":{"_account_id":9008,"name":"VMware NSX CI","username":"vmwareminesweeper","tags":["SERVICE_USER"]},"date":"2015-03-13 07:18:53.000000000","message":"Patch Set 4:\n\nBuild successful. Logs: http://208.91.1.172/logs/163033/4","accounts_in_message":[],"_revision_number":4},{"id":"cf3ec662f2971b04b1faa491de344b7600317826","author":{"_account_id":9008,"name":"VMware NSX CI","username":"vmwareminesweeper","tags":["SERVICE_USER"]},"date":"2015-03-17 05:16:34.000000000","message":"Patch Set 5:\n\nBuild successful. Logs: http://208.91.1.172/logs/163033/5","accounts_in_message":[],"_revision_number":5},{"id":"5a9a48f653b918499e8a35d7dfe6ab8b848cb0d9","author":{"_account_id":9008,"name":"VMware NSX CI","username":"vmwareminesweeper","tags":["SERVICE_USER"]},"date":"2015-03-17 06:18:37.000000000","message":"Patch Set 6:\n\nBuild successful. Logs: http://208.91.1.172/logs/163033/6","accounts_in_message":[],"_revision_number":6}],"current_revision_number":6,"current_revision":"fdb73a2d445971c6158a80692c6f74094fd4193a","revisions":{"1eb56fcded304532349cd67fb55723f8c0f573aa":{"kind":"REWORK","_number":1,"created":"2015-03-10 15:00:24.000000000","uploader":{"_account_id":9311,"name":"Tristan Cacqueray","email":"tdecacqu@redhat.com","username":"tristanC"},"ref":"refs/changes/33/163033/1","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova","ref":"refs/changes/33/163033/1","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/1 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/1 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/1 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova refs/changes/33/163033/1"}}},"commit":{"parents":[{"commit":"e5ed57dc3f93164ee8c09b13c60e7712736ad58a","subject":"Merge \"Move policy enforcement into REST API layer for v2.1 api attach_interfaces\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/e5ed57dc3f93164ee8c09b13c60e7712736ad58a"}]}],"author":{"name":"Dave McCowan","email":"dmccowan@cisco.com","date":"2015-03-02 20:00:22.000000000","tz":-300},"committer":{"name":"Tristan Cacqueray","email":"tristan.cacqueray@enovance.com","date":"2015-03-10 15:00:16.000000000","tz":0},"subject":"Websocket Proxy should verify Origin header","message":"Websocket Proxy should verify Origin header\n\nIf the Origin HTTP header passed in the WebSocket handshake does\nnot match the host, this could indicate an attempt at a\ncross-site attack.  This commit adds a check to verify\nthe origin matches the host.\n\nChange-Id: Ica6ec23d6f69a236657d5ba0c3f51b693c633649\nCloses-Bug: 1409142\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/1eb56fcded304532349cd67fb55723f8c0f573aa"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/1eb56fcded304532349cd67fb55723f8c0f573aa"}]},"branch":"refs/heads/master"},"b8cda8657a057082d6663521de784e89501de455":{"kind":"NO_CODE_CHANGE","_number":2,"created":"2015-03-11 14:46:42.000000000","uploader":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"ref":"refs/changes/33/163033/2","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova","ref":"refs/changes/33/163033/2","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/2 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/2 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/2 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova refs/changes/33/163033/2"}}},"commit":{"parents":[{"commit":"e5ed57dc3f93164ee8c09b13c60e7712736ad58a","subject":"Merge \"Move policy enforcement into REST API layer for v2.1 api attach_interfaces\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/e5ed57dc3f93164ee8c09b13c60e7712736ad58a"}]}],"author":{"name":"Dave McCowan","email":"dmccowan@cisco.com","date":"2015-03-02 20:00:22.000000000","tz":-300},"committer":{"name":"Sylvain Bauza","email":"sbauza@redhat.com","date":"2015-03-11 14:46:42.000000000","tz":0},"subject":"Websocket Proxy should verify Origin header","message":"Websocket Proxy should verify Origin header\n\nIf the Origin HTTP header passed in the WebSocket handshake does\nnot match the host, this could indicate an attempt at a\ncross-site attack.  This commit adds a check to verify\nthe origin matches the host.\n\nSecurityImpact\n\nChange-Id: Ica6ec23d6f69a236657d5ba0c3f51b693c633649\nCloses-Bug: 1409142","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/b8cda8657a057082d6663521de784e89501de455"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/b8cda8657a057082d6663521de784e89501de455"}]},"branch":"refs/heads/master"},"6cd05823e2d94f5afae2e9a7144d40e879f6e54b":{"kind":"REWORK","_number":3,"created":"2015-03-11 21:08:21.000000000","uploader":{"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},"ref":"refs/changes/33/163033/3","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova","ref":"refs/changes/33/163033/3","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/3 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/3 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/3 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova refs/changes/33/163033/3"}}},"commit":{"parents":[{"commit":"e5ed57dc3f93164ee8c09b13c60e7712736ad58a","subject":"Merge \"Move policy enforcement into REST API layer for v2.1 api attach_interfaces\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/e5ed57dc3f93164ee8c09b13c60e7712736ad58a"}]}],"author":{"name":"Dave McCowan","email":"dmccowan@cisco.com","date":"2015-03-02 20:00:22.000000000","tz":-300},"committer":{"name":"Dave McCowan","email":"dmccowan@cisco.com","date":"2015-03-11 21:08:18.000000000","tz":-240},"subject":"Websocket Proxy should verify Origin header","message":"Websocket Proxy should verify Origin header\n\nIf the Origin HTTP header passed in the WebSocket handshake does\nnot match the host, this could indicate an attempt at a\ncross-site attack.  This commit adds a check to verify\nthe origin matches the host.\n\nSecurityImpact\n\nChange-Id: Ica6ec23d6f69a236657d5ba0c3f51b693c633649\nCloses-Bug: 1409142\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/6cd05823e2d94f5afae2e9a7144d40e879f6e54b"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/6cd05823e2d94f5afae2e9a7144d40e879f6e54b"}]},"branch":"refs/heads/master"},"d02b258d24355768ddf4bf3b1f6016b7affc65b2":{"kind":"REWORK","_number":4,"created":"2015-03-11 21:16:15.000000000","uploader":{"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},"ref":"refs/changes/33/163033/4","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova","ref":"refs/changes/33/163033/4","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/4 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/4 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/4 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova refs/changes/33/163033/4"}}},"commit":{"parents":[{"commit":"e5ed57dc3f93164ee8c09b13c60e7712736ad58a","subject":"Merge \"Move policy enforcement into REST API layer for v2.1 api attach_interfaces\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/e5ed57dc3f93164ee8c09b13c60e7712736ad58a"}]}],"author":{"name":"Dave McCowan","email":"dmccowan@cisco.com","date":"2015-03-02 20:00:22.000000000","tz":-300},"committer":{"name":"Dave McCowan","email":"dmccowan@cisco.com","date":"2015-03-11 21:16:15.000000000","tz":-240},"subject":"Websocket Proxy should verify Origin header","message":"Websocket Proxy should verify Origin header\n\nIf the Origin HTTP header passed in the WebSocket handshake does\nnot match the host, this could indicate an attempt at a\ncross-site attack.  This commit adds a check to verify\nthe origin matches the host.\n\nSecurityImpact\n\nChange-Id: Ica6ec23d6f69a236657d5ba0c3f51b693c633649\nCloses-Bug: 1409142\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/d02b258d24355768ddf4bf3b1f6016b7affc65b2"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/d02b258d24355768ddf4bf3b1f6016b7affc65b2"}]},"branch":"refs/heads/master"},"fef2944f970c7c6b45a218a58a0e75d0d4253d3c":{"kind":"REWORK","_number":5,"created":"2015-03-12 02:40:58.000000000","uploader":{"_account_id":12898,"name":"Tony Breeds","email":"tony@bakeyournoodle.com","username":"tonyb"},"ref":"refs/changes/33/163033/5","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova","ref":"refs/changes/33/163033/5","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/5 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/5 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/5 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova refs/changes/33/163033/5"}}},"commit":{"parents":[{"commit":"e5ed57dc3f93164ee8c09b13c60e7712736ad58a","subject":"Merge \"Move policy enforcement into REST API layer for v2.1 api attach_interfaces\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/e5ed57dc3f93164ee8c09b13c60e7712736ad58a"}]}],"author":{"name":"Dave McCowan","email":"dmccowan@cisco.com","date":"2015-03-02 20:00:22.000000000","tz":-300},"committer":{"name":"Tony Breeds","email":"tony@bakeyournoodle.com","date":"2015-03-12 02:40:02.000000000","tz":660},"subject":"Websocket Proxy should verify Origin header","message":"Websocket Proxy should verify Origin header\n\nIf the Origin HTTP header passed in the WebSocket handshake does\nnot match the host, this could indicate an attempt at a\ncross-site attack.  This commit adds a check to verify\nthe origin matches the host.\n\nSecurityImpact\n\nChange-Id: Ica6ec23d6f69a236657d5ba0c3f51b693c633649\nCloses-Bug: 1409142\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/fef2944f970c7c6b45a218a58a0e75d0d4253d3c"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/fef2944f970c7c6b45a218a58a0e75d0d4253d3c"}]},"branch":"refs/heads/master"},"fdb73a2d445971c6158a80692c6f74094fd4193a":{"kind":"REWORK","_number":6,"created":"2015-03-12 04:08:46.000000000","uploader":{"_account_id":11561,"name":"Dave McCowan","email":"dmccowan@cisco.com","username":"dave-mccowan"},"ref":"refs/changes/33/163033/6","fetch":{"anonymous http":{"url":"https://review.opendev.org/openstack/nova","ref":"refs/changes/33/163033/6","commands":{"Checkout":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/6 \u0026\u0026 git checkout FETCH_HEAD","Cherry Pick":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/6 \u0026\u0026 git cherry-pick FETCH_HEAD","Format Patch":"git fetch https://review.opendev.org/openstack/nova refs/changes/33/163033/6 \u0026\u0026 git format-patch -1 --stdout FETCH_HEAD","Pull":"git pull https://review.opendev.org/openstack/nova refs/changes/33/163033/6"}}},"commit":{"parents":[{"commit":"e5ed57dc3f93164ee8c09b13c60e7712736ad58a","subject":"Merge \"Move policy enforcement into REST API layer for v2.1 api attach_interfaces\"","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/e5ed57dc3f93164ee8c09b13c60e7712736ad58a"}]}],"author":{"name":"Dave McCowan","email":"dmccowan@cisco.com","date":"2015-03-02 20:00:22.000000000","tz":-300},"committer":{"name":"Dave McCowan","email":"dmccowan@cisco.com","date":"2015-03-12 04:08:10.000000000","tz":-240},"subject":"Websocket Proxy should verify Origin header","message":"Websocket Proxy should verify Origin header\n\nIf the Origin HTTP header passed in the WebSocket handshake does\nnot match the host, this could indicate an attempt at a\ncross-site attack.  This commit adds a check to verify\nthe origin matches the host.\n\nSecurityImpact\n\nChange-Id: Ica6ec23d6f69a236657d5ba0c3f51b693c633649\nCloses-Bug: 1409142\n","web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/fdb73a2d445971c6158a80692c6f74094fd4193a"}],"resolve_conflicts_web_links":[{"name":"gitea","tooltip":"Open in GitWeb","url":"https://opendev.org/openstack/nova/commit/fdb73a2d445971c6158a80692c6f74094fd4193a"}]},"branch":"refs/heads/master"}},"requirements":[],"submit_records":[],"submit_requirements":[]}