-
Notifications
You must be signed in to change notification settings - Fork 772
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insecure allowedOrigins validation #691
Comments
The scheme must be validated as well. Merely validating the host would be insufficient as MITM + failure to validate scheme = vuln, if the end user intends to use HTTPS only. |
I have written a unit-test simulating vestin's example above, and can confirm that the matching does indeed fail (i.e. the above will not call |
Thanks to |
Okay, I think I incorporated the feedback in the PR. Testing with Chrome on I also introduced an To partially mitigate this I made the default value in |
There's also an issue with port-matching to consider. As it sits, the only configuration is the list of
I guess a 4th way would be to run the (fixed/wrapped) reg-exs on any incoming complete Origin headers (as now) if |
All sound like they can be made secure, in my opinion 3 seems the safest to avoid shooting yourself in the foot. |
Will look into this soonish (we are currently exhibiting at a trade fair) .. |
I believe this was fixed and merged in #693 |
Is there documentation for this change anywhere? It's broken my origin validation, and I'm having trouble figuring out how to fix it. In particular, what should both the allowedOrigin list and the Origin header look like now, in order to match? I'm seeing errors such as After adding the scheme to my allowedOrigins list, I see: It does work when adding both the scheme and port to allowedOrigins, which I assume is because the origin port differs from the server port. A pointer to some explicit documentation about that necessity would still be appreciated. Thanks! |
@jeffreyfroman-temboo please see the description of the |
Excellent, thanks very much. |
Autobahn|Python incorrectly checks the Origin header when the 'allowedOrigins' value is set.
The following will set
Then the following connection request will result in a valid 101 Protocol Switch Response:
This is due to the wildcard2patterns functions, which turns
u"*.example.com"
intor".*\.example\.com"
. This regex pattern is then matched against the complete incoming origin value. The websocket_origin value should be first parsed as a URI object and the authority section extracted, and the regex matched against authority ensuring that ^ and $ are used. E.g.r"^.*\.example\.com$"
The text was updated successfully, but these errors were encountered: