##// END OF EJS Templates
upstream » ipython
RSS

Clone from https://github.com/ipython/ipython.git

Backport PR #4845: Add Origin Checking to WebSockets
MinRK -
Show More
Show file before | Show file after | Hide comments
@@ -16,6 +16,8 Authors:
16 # Imports
16 # Imports
17 #-----------------------------------------------------------------------------
17 #-----------------------------------------------------------------------------
18
18
19 from urlparse import urlparse
20
19 import Cookie
21 import Cookie
20 import logging
22 import logging
21 from tornado import web
23 from tornado import web
@@ -35,6 +37,29 from .handlers import IPythonHandler
35
37
36 class ZMQStreamHandler(websocket.WebSocketHandler):
38 class ZMQStreamHandler(websocket.WebSocketHandler):
37
39
40 def same_origin(self):
41 """Check to see that origin and host match in the headers."""
42
43 # The difference between version 8 and 13 is that in 8 the
44 # client sends a "Sec-Websocket-Origin" header and in 13 it's
45 # simply "Origin".
46 if self.request.headers.get("Sec-WebSocket-Version") in ("7", "8"):
47 origin_header = self.request.headers.get("Sec-Websocket-Origin")
48 else:
49 origin_header = self.request.headers.get("Origin")
50
51 host = self.request.headers.get("Host")
52
53 # If no header is provided, assume we can't verify origin
54 if(origin_header is None or host is None):
55 return False
56
57 parsed_origin = urlparse(origin_header)
58 origin = parsed_origin.netloc
59
60 # Check to see that origin matches host directly, including ports
61 return origin == host
62
38 def clear_cookie(self, *args, **kwargs):
63 def clear_cookie(self, *args, **kwargs):
39 """meaningless for websockets"""
64 """meaningless for websockets"""
40 pass
65 pass
@@ -83,6 +108,11 class ZMQStreamHandler(websocket.WebSocketHandler):
83 class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler):
108 class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler):
84
109
85 def open(self, kernel_id):
110 def open(self, kernel_id):
111 # Check to see that origin matches host directly, including ports
112 if not self.same_origin():
113 self.log.warn("Cross Origin WebSocket Attempt.")
114 raise web.HTTPError(404)
115
86 self.kernel_id = cast_unicode(kernel_id, 'ascii')
116 self.kernel_id = cast_unicode(kernel_id, 'ascii')
87 self.session = Session(config=self.config)
117 self.session = Session(config=self.config)
88 self.save_on_message = self.on_message
118 self.save_on_message = self.on_message
General Comments 0
You need to be logged in to leave comments. Login now