Description


Jason Shepherd



2020-03-16 06:19:58 UTC

Document URL: 
https://docs.openshift.com/container-platform/3.11/architecture/infrastructure_components/web_console.html#overview

Section Number and Name: 
Overview

Describe the issue: 
The CORS allowed origin regex has a vulnerability, see https://access.redhat.com/security/cve/CVE-2020-1741

Suggestions for improvement: 
Replace:
---
corsAllowedOrigins:
- (?i)//my.subdomain.domain.com(:|z)
The (?i) makes it case-insensitive.

The // pins to the beginning of the domain (and matches the double slash following http: or https:).

The . escapes dots in the domain name.

The (:|z) matches the end of the domain name (z) or a port separator (:).
---

With:
---
corsAllowedOrigins:
- ^(?i)https://my.subdomain.domain.com(:|z)
The ^ matches the start of the string.

The (?i) makes it case-insensitive.

The . escapes dots in the domain name.

The (:|z) matches the end of the domain name (z) or a port separator (:).
---



Source link

Write a comment:
*

Your email address will not be published.