##// END OF EJS Templates
upstream » ipython
RSS

Clone from https://github.com/ipython/ipython.git

Name change to same_origin
Kyle Kelley -
Show More
Show file before | Show file after | Hide comments
@@ -1,141 +1,142 b''
1 1 """Tornado handlers for WebSocket <-> ZMQ sockets.
2 2
3 3 Authors:
4 4
5 5 * Brian Granger
6 6 """
7 7
8 8 #-----------------------------------------------------------------------------
9 9 # Copyright (C) 2008-2011 The IPython Development Team
10 10 #
11 11 # Distributed under the terms of the BSD License. The full license is in
12 12 # the file COPYING, distributed as part of this software.
13 13 #-----------------------------------------------------------------------------
14 14
15 15 #-----------------------------------------------------------------------------
16 16 # Imports
17 17 #-----------------------------------------------------------------------------
18 18
19 19 try:
20 20 from urllib.parse import urlparse # Py 3
21 21 except ImportError:
22 22 from urlparse import urlparse # Py 2
23 23
24 24 try:
25 25 from http.cookies import SimpleCookie # Py 3
26 26 except ImportError:
27 27 from Cookie import SimpleCookie # Py 2
28 28 import logging
29 29 from tornado import web
30 30 from tornado import websocket
31 31
32 32 from zmq.utils import jsonapi
33 33
34 34 from IPython.kernel.zmq.session import Session
35 35 from IPython.utils.jsonutil import date_default
36 36 from IPython.utils.py3compat import PY3, cast_unicode
37 37
38 38 from .handlers import IPythonHandler
39 39
40 40 #-----------------------------------------------------------------------------
41 41 # ZMQ handlers
42 42 #-----------------------------------------------------------------------------
43 43
44 44 class ZMQStreamHandler(websocket.WebSocketHandler):
45 45
46 def is_cross_origin(self):
46 def same_origin(self):
47 47 """Check to see that origin and host match in the headers."""
48 48 origin_header = self.request.headers.get("Origin")
49 49 host = self.request.headers.get("Host")
50 50
51 # If no header is provided, assume we can't verify origin
51 52 if(origin_header == None or host == None):
52 return True
53 return False
53 54
54 55 parsed_origin = urlparse(origin_header)
55 56 origin = parsed_origin.netloc
56 57
57 58 # Check to see that origin matches host directly, including ports
58 return origin != host
59 return origin == host
59 60
60 61 def clear_cookie(self, *args, **kwargs):
61 62 """meaningless for websockets"""
62 63 pass
63 64
64 65 def _reserialize_reply(self, msg_list):
65 66 """Reserialize a reply message using JSON.
66 67
67 68 This takes the msg list from the ZMQ socket, unserializes it using
68 69 self.session and then serializes the result using JSON. This method
69 70 should be used by self._on_zmq_reply to build messages that can
70 71 be sent back to the browser.
71 72 """
72 73 idents, msg_list = self.session.feed_identities(msg_list)
73 74 msg = self.session.unserialize(msg_list)
74 75 try:
75 76 msg['header'].pop('date')
76 77 except KeyError:
77 78 pass
78 79 try:
79 80 msg['parent_header'].pop('date')
80 81 except KeyError:
81 82 pass
82 83 msg.pop('buffers')
83 84 return jsonapi.dumps(msg, default=date_default)
84 85
85 86 def _on_zmq_reply(self, msg_list):
86 87 # Sometimes this gets triggered when the on_close method is scheduled in the
87 88 # eventloop but hasn't been called.
88 89 if self.stream.closed(): return
89 90 try:
90 91 msg = self._reserialize_reply(msg_list)
91 92 except Exception:
92 93 self.log.critical("Malformed message: %r" % msg_list, exc_info=True)
93 94 else:
94 95 self.write_message(msg)
95 96
96 97 def allow_draft76(self):
97 98 """Allow draft 76, until browsers such as Safari update to RFC 6455.
98 99
99 100 This has been disabled by default in tornado in release 2.2.0, and
100 101 support will be removed in later versions.
101 102 """
102 103 return True
103 104
104 105
105 106 class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler):
106 107
107 108 def open(self, kernel_id):
108 109 # Check to see that origin matches host directly, including ports
109 if self.is_cross_origin():
110 if not self.same_origin():
110 111 self.log.warn("Cross Origin WebSocket Attempt.")
111 112 raise web.HTTPError(404)
112 113
113 114 self.kernel_id = cast_unicode(kernel_id, 'ascii')
114 115 self.session = Session(config=self.config)
115 116 self.save_on_message = self.on_message
116 117 self.on_message = self.on_first_message
117 118
118 119 def _inject_cookie_message(self, msg):
119 120 """Inject the first message, which is the document cookie,
120 121 for authentication."""
121 122 if not PY3 and isinstance(msg, unicode):
122 123 # Cookie constructor doesn't accept unicode strings
123 124 # under Python 2.x for some reason
124 125 msg = msg.encode('utf8', 'replace')
125 126 try:
126 127 identity, msg = msg.split(':', 1)
127 128 self.session.session = cast_unicode(identity, 'ascii')
128 129 except Exception:
129 130 logging.error("First ws message didn't have the form 'identity:[cookie]' - %r", msg)
130 131
131 132 try:
132 133 self.request._cookies = SimpleCookie(msg)
133 134 except:
134 135 self.log.warn("couldn't parse cookie string: %s",msg, exc_info=True)
135 136
136 137 def on_first_message(self, msg):
137 138 self._inject_cookie_message(msg)
138 139 if self.get_current_user() is None:
139 140 self.log.warn("Couldn't authenticate WebSocket connection")
140 141 raise web.HTTPError(403)
141 142 self.on_message = self.save_on_message
General Comments 0
You need to be logged in to leave comments. Login now