[Twisted-web] Preventing XSS when using Nevow's vhost
functionality
David Reid
dreid at dreid.org
Wed Oct 19 17:52:28 MDT 2005
On Oct 19, 2005, at 4:39 PM, David Remahl wrote:
> I'm not familiar with web2.vhost.VHostURIRewrite, but will check it
> out..."Configuration time", you say. I assume that means at the
> start of the handling of a request, not when the application is set
> up and configured? If so, that sounds like a good solution in many
> cases.
In fact configuration time does mean in the .tac. You create a
vhost.VHostURIRewrite resource like so:
root = vhost.VHostURIRewrite(uri='http://host:port/path',
resource=realrootresource)
server.Site(root)
There is also a AutoVHostURIRewrite which makes use of x-app-scheme,
x-forwarded-host, x-app-location, and x-forwarded-for headers to
determine the real hostname port path etc and also the client ip
address. I'm fairly sure this isn't vulnerable to a similar attack
as VHostMonsterResource but I haven't done an extensive audit of that
particular code.
> Only allowing a single "invocation" of the monster resource is
> insufficient in certain situations, namely when http://
> internalserver:1234/ is accessible from the outside and not
> _exclusively_ by the reverse proxy. This might also be a problem
> with the VHostURIRewrite approach?
It would be a problem with AutoVHostURIRewrite but not a problem with
VHostURIRewrite, because VHostURIRewrite would mangle the request
unconditionally and if the client clicked an absolute link would end
up at the proper location anyway. This unconditional mangling might
have other implications if internalserver:1234 is accessible from
outside but in my opinion that's just more of a reason to not have
that kind of configuration.
-David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-web/attachments/20051019/c5e60e62/attachment.htm
More information about the Twisted-web
mailing list