Show More
| @@ -29,6 +29,10 b' try:' | |||||
| 29 | from http.client import responses |
|
29 | from http.client import responses | |
| 30 | except ImportError: |
|
30 | except ImportError: | |
| 31 | from httplib import responses |
|
31 | from httplib import responses | |
|
|
32 | try: | |||
|
|
33 | from urllib.parse import urlparse # Py 3 | |||
|
|
34 | except ImportError: | |||
|
|
35 | from urlparse import urlparse # Py 2 | |||
| 32 |
|
36 | |||
| 33 | from jinja2 import TemplateNotFound |
|
37 | from jinja2 import TemplateNotFound | |
| 34 | from tornado import web |
|
38 | from tornado import web | |
| @@ -208,6 +212,50 b' class IPythonHandler(AuthenticatedHandler):' | |||||
| 208 | origin = self.request.headers.get("Sec-Websocket-Origin", None) |
|
212 | origin = self.request.headers.get("Sec-Websocket-Origin", None) | |
| 209 | return origin |
|
213 | return origin | |
| 210 |
|
214 | |||
|
|
215 | def check_origin_api(self): | |||
|
|
216 | """Check Origin for cross-site API requests. | |||
|
|
217 | ||||
|
|
218 | Copied from WebSocket with changes: | |||
|
|
219 | ||||
|
|
220 | - allow unspecified host/origin (e.g. scripts) | |||
|
|
221 | """ | |||
|
|
222 | if self.allow_origin == '*': | |||
|
|
223 | return True | |||
|
|
224 | ||||
|
|
225 | host = self.request.headers.get("Host") | |||
|
|
226 | origin = self.request.headers.get("Origin") | |||
|
|
227 | ||||
|
|
228 | # If no header is provided, assume it comes from a script/curl. | |||
|
|
229 | # We are only concerned with cross-site browser stuff here. | |||
|
|
230 | if origin is None or host is None: | |||
|
|
231 | return True | |||
|
|
232 | ||||
|
|
233 | origin = origin.lower() | |||
|
|
234 | origin_host = urlparse(origin).netloc | |||
|
|
235 | ||||
|
|
236 | # OK if origin matches host | |||
|
|
237 | if origin_host == host: | |||
|
|
238 | return True | |||
|
|
239 | ||||
|
|
240 | # Check CORS headers | |||
|
|
241 | if self.allow_origin: | |||
|
|
242 | allow = self.allow_origin == origin | |||
|
|
243 | elif self.allow_origin_pat: | |||
|
|
244 | allow = bool(self.allow_origin_pat.match(origin)) | |||
|
|
245 | else: | |||
|
|
246 | # No CORS headers deny the request | |||
|
|
247 | allow = False | |||
|
|
248 | if not allow: | |||
|
|
249 | self.log.warn("Blocking Cross Origin API request. Origin: %s, Host: %s", | |||
|
|
250 | origin, host, | |||
|
|
251 | ) | |||
|
|
252 | return allow | |||
|
|
253 | ||||
|
|
254 | def prepare(self): | |||
|
|
255 | if not self.check_origin_api(): | |||
|
|
256 | raise web.HTTPError(404) | |||
|
|
257 | return super(IPythonHandler, self).prepare() | |||
|
|
258 | ||||
| 211 | #--------------------------------------------------------------- |
|
259 | #--------------------------------------------------------------- | |
| 212 | # template rendering |
|
260 | # template rendering | |
| 213 | #--------------------------------------------------------------- |
|
261 | #--------------------------------------------------------------- | |
General Comments 0
You need to be logged in to leave comments.
Login now