Show More
@@ -43,28 +43,16 b' from .handlers import IPythonHandler' | |||||
43 |
|
43 | |||
44 | class ZMQStreamHandler(websocket.WebSocketHandler): |
|
44 | class ZMQStreamHandler(websocket.WebSocketHandler): | |
45 |
|
45 | |||
46 |
def |
|
46 | def is_cross_origin(self): | |
47 |
"""Check origin |
|
47 | """Check to see that origin and host match in the headers.""" | |
48 |
origin_header = self.request.headers |
|
48 | origin_header = self.request.headers.get("Origin") | |
49 |
host = self.request.headers |
|
49 | host = self.request.headers.get("Host") | |
50 |
|
50 | |||
51 | parsed_origin = urlparse(origin_header) |
|
51 | parsed_origin = urlparse(origin_header) | |
52 | origin = parsed_origin.netloc |
|
52 | origin = parsed_origin.netloc | |
53 |
|
53 | |||
54 | # Check to see that origin matches host directly, including ports |
|
54 | # Check to see that origin matches host directly, including ports | |
55 |
|
|
55 | return origin != host | |
56 | self.log.warn("Cross Origin WebSocket Attempt.") |
|
|||
57 | raise web.HTTPError(404) |
|
|||
58 |
|
||||
59 |
|
||||
60 | def _execute(self, *args, **kwargs): |
|
|||
61 | """Wrap all calls to make sure origin gets checked.""" |
|
|||
62 |
|
||||
63 | # Check to see that origin matches host directly, including ports |
|
|||
64 | self.check_origin() |
|
|||
65 |
|
||||
66 | # Pass on the rest of the handling by the WebSocketHandler |
|
|||
67 | super(ZMQStreamHandler, self)._execute(*args, **kwargs) |
|
|||
68 |
|
56 | |||
69 | def clear_cookie(self, *args, **kwargs): |
|
57 | def clear_cookie(self, *args, **kwargs): | |
70 | """meaningless for websockets""" |
|
58 | """meaningless for websockets""" | |
@@ -114,6 +102,11 b' class ZMQStreamHandler(websocket.WebSocketHandler):' | |||||
114 | class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler): |
|
102 | class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler): | |
115 |
|
103 | |||
116 | def open(self, kernel_id): |
|
104 | def open(self, kernel_id): | |
|
105 | # Check to see that origin matches host directly, including ports | |||
|
106 | if self.is_cross_origin(): | |||
|
107 | self.log.warn("Cross Origin WebSocket Attempt.") | |||
|
108 | raise web.HTTPError(404) | |||
|
109 | ||||
117 | self.kernel_id = cast_unicode(kernel_id, 'ascii') |
|
110 | self.kernel_id = cast_unicode(kernel_id, 'ascii') | |
118 | self.session = Session(config=self.config) |
|
111 | self.session = Session(config=self.config) | |
119 | self.save_on_message = self.on_message |
|
112 | self.save_on_message = self.on_message |
General Comments 0
You need to be logged in to leave comments.
Login now