Most web servers are configured to pass unrecognized/arbitrary host headers to the first virtual host. This change mitigates a host header attack by providing a whitelist for both LMS/CMS during installation.
Where should the reviewer start?
Any of the files.
How can this be manually tested? (brief repro steps and corpnet-URL with change)
1) Deploy STAMP specifying a whitelist of hostnames for LMS/CMS.
e.g. -EdxAppLmsAllowedHosts "lms-openedx-tm.trafficmanager.net,preview-openedx-tm.trafficmanager.net" -EdxAppCmsAllowedHosts "cms-openedx-tm.trafficmanager.net"
2) Verify that lms.env.json and cms.env.json contain their respective whitelists (LMS_ALLOWED_HOSTS and CMS_ALLOWED_HOSTS)
3) Verify that LMS/CMS continue to function as expected.
What are the relevant TFS items? (list id numbers)
Bug 110829
Definition of done:
[ ] Title of the pull request is clear and informative
[ ] Add pull request hyperlink to relevant TFS items
[ ] For large or complex change: schedule an in-person review session
[ ] This change has appropriate test coverage
[ ] Get at least two approvals
Reminders DURING merge
If you're merging from a short-term (feature) branch into a long-term branch (like dev, release, or master) then "Squash and merge" to keep our history clean.
If merging from two longterm branches (like cherry picks from upstream, dev to release, etc) then "Create merge commit" to preserve individual commits.
What does this PR do? Please provide some context
Most web servers are configured to pass unrecognized/arbitrary host headers to the first virtual host. This change mitigates a host header attack by providing a whitelist for both LMS/CMS during installation.
Where should the reviewer start?
Any of the files.
How can this be manually tested? (brief repro steps and corpnet-URL with change)
1) Deploy STAMP specifying a whitelist of hostnames for LMS/CMS.
e.g. -EdxAppLmsAllowedHosts "lms-openedx-tm.trafficmanager.net,preview-openedx-tm.trafficmanager.net" -EdxAppCmsAllowedHosts "cms-openedx-tm.trafficmanager.net"
2) Verify that lms.env.json and cms.env.json contain their respective whitelists (LMS_ALLOWED_HOSTS and CMS_ALLOWED_HOSTS) 3) Verify that LMS/CMS continue to function as expected.
What are the relevant TFS items? (list id numbers)
Bug 110829
Definition of done:
Reminders DURING merge