##// END OF EJS Templates
upstream » ipython
RSS

Clone from https://github.com/ipython/ipython.git

Performing check only on open.
Kyle Kelley -
Show More
Show file before | Show file after | Hide comments
@@ -1,145 +1,138 b''
1 1 """Tornado handlers for WebSocket <-> ZMQ sockets.
2 2
3 3 Authors:
4 4
5 5 * Brian Granger
6 6 """
7 7
8 8 #-----------------------------------------------------------------------------
9 9 # Copyright (C) 2008-2011 The IPython Development Team
10 10 #
11 11 # Distributed under the terms of the BSD License. The full license is in
12 12 # the file COPYING, distributed as part of this software.
13 13 #-----------------------------------------------------------------------------
14 14
15 15 #-----------------------------------------------------------------------------
16 16 # Imports
17 17 #-----------------------------------------------------------------------------
18 18
19 19 try:
20 20 from urllib.parse import urlparse # Py 3
21 21 except ImportError:
22 22 from urlparse import urlparse # Py 2
23 23
24 24 try:
25 25 from http.cookies import SimpleCookie # Py 3
26 26 except ImportError:
27 27 from Cookie import SimpleCookie # Py 2
28 28 import logging
29 29 from tornado import web
30 30 from tornado import websocket
31 31
32 32 from zmq.utils import jsonapi
33 33
34 34 from IPython.kernel.zmq.session import Session
35 35 from IPython.utils.jsonutil import date_default
36 36 from IPython.utils.py3compat import PY3, cast_unicode
37 37
38 38 from .handlers import IPythonHandler
39 39
40 40 #-----------------------------------------------------------------------------
41 41 # ZMQ handlers
42 42 #-----------------------------------------------------------------------------
43 43
44 44 class ZMQStreamHandler(websocket.WebSocketHandler):
45 45
46 def check_origin(self):
47 """Check origin from headers."""
48 origin_header = self.request.headers["Origin"]
49 host = self.request.headers["Host"]
46 def is_cross_origin(self):
47 """Check to see that origin and host match in the headers."""
48 origin_header = self.request.headers.get("Origin")
49 host = self.request.headers.get("Host")
50 50
51 51 parsed_origin = urlparse(origin_header)
52 52 origin = parsed_origin.netloc
53 53
54 54 # Check to see that origin matches host directly, including ports
55 if origin != host:
56 self.log.warn("Cross Origin WebSocket Attempt.")
57 raise web.HTTPError(404)
58
59
60 def _execute(self, *args, **kwargs):
61 """Wrap all calls to make sure origin gets checked."""
62
63 # Check to see that origin matches host directly, including ports
64 self.check_origin()
55 return origin != host
65 56
66 # Pass on the rest of the handling by the WebSocketHandler
67 super(ZMQStreamHandler, self)._execute(*args, **kwargs)
68
69 57 def clear_cookie(self, *args, **kwargs):
70 58 """meaningless for websockets"""
71 59 pass
72 60
73 61 def _reserialize_reply(self, msg_list):
74 62 """Reserialize a reply message using JSON.
75 63
76 64 This takes the msg list from the ZMQ socket, unserializes it using
77 65 self.session and then serializes the result using JSON. This method
78 66 should be used by self._on_zmq_reply to build messages that can
79 67 be sent back to the browser.
80 68 """
81 69 idents, msg_list = self.session.feed_identities(msg_list)
82 70 msg = self.session.unserialize(msg_list)
83 71 try:
84 72 msg['header'].pop('date')
85 73 except KeyError:
86 74 pass
87 75 try:
88 76 msg['parent_header'].pop('date')
89 77 except KeyError:
90 78 pass
91 79 msg.pop('buffers')
92 80 return jsonapi.dumps(msg, default=date_default)
93 81
94 82 def _on_zmq_reply(self, msg_list):
95 83 # Sometimes this gets triggered when the on_close method is scheduled in the
96 84 # eventloop but hasn't been called.
97 85 if self.stream.closed(): return
98 86 try:
99 87 msg = self._reserialize_reply(msg_list)
100 88 except Exception:
101 89 self.log.critical("Malformed message: %r" % msg_list, exc_info=True)
102 90 else:
103 91 self.write_message(msg)
104 92
105 93 def allow_draft76(self):
106 94 """Allow draft 76, until browsers such as Safari update to RFC 6455.
107 95
108 96 This has been disabled by default in tornado in release 2.2.0, and
109 97 support will be removed in later versions.
110 98 """
111 99 return True
112 100
113 101
114 102 class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler):
115 103
116 104 def open(self, kernel_id):
105 # Check to see that origin matches host directly, including ports
106 if self.is_cross_origin():
107 self.log.warn("Cross Origin WebSocket Attempt.")
108 raise web.HTTPError(404)
109
117 110 self.kernel_id = cast_unicode(kernel_id, 'ascii')
118 111 self.session = Session(config=self.config)
119 112 self.save_on_message = self.on_message
120 113 self.on_message = self.on_first_message
121 114
122 115 def _inject_cookie_message(self, msg):
123 116 """Inject the first message, which is the document cookie,
124 117 for authentication."""
125 118 if not PY3 and isinstance(msg, unicode):
126 119 # Cookie constructor doesn't accept unicode strings
127 120 # under Python 2.x for some reason
128 121 msg = msg.encode('utf8', 'replace')
129 122 try:
130 123 identity, msg = msg.split(':', 1)
131 124 self.session.session = cast_unicode(identity, 'ascii')
132 125 except Exception:
133 126 logging.error("First ws message didn't have the form 'identity:[cookie]' - %r", msg)
134 127
135 128 try:
136 129 self.request._cookies = SimpleCookie(msg)
137 130 except:
138 131 self.log.warn("couldn't parse cookie string: %s",msg, exc_info=True)
139 132
140 133 def on_first_message(self, msg):
141 134 self._inject_cookie_message(msg)
142 135 if self.get_current_user() is None:
143 136 self.log.warn("Couldn't authenticate WebSocket connection")
144 137 raise web.HTTPError(403)
145 self.on_message = self.save_on_message No newline at end of file
138 self.on_message = self.save_on_message
General Comments 0
You need to be logged in to leave comments. Login now