Show More
@@ -17,6 +17,11 b' Authors:' | |||||
17 | #----------------------------------------------------------------------------- |
|
17 | #----------------------------------------------------------------------------- | |
18 |
|
18 | |||
19 | try: |
|
19 | try: | |
|
20 | from urllib.parse import urlparse # Py 3 | |||
|
21 | except ImportError: | |||
|
22 | from urlparse import urlparse # Py 2 | |||
|
23 | ||||
|
24 | try: | |||
20 | from http.cookies import SimpleCookie # Py 3 |
|
25 | from http.cookies import SimpleCookie # Py 3 | |
21 | except ImportError: |
|
26 | except ImportError: | |
22 | from Cookie import SimpleCookie # Py 2 |
|
27 | from Cookie import SimpleCookie # Py 2 | |
@@ -37,7 +42,30 b' from .handlers import IPythonHandler' | |||||
37 | #----------------------------------------------------------------------------- |
|
42 | #----------------------------------------------------------------------------- | |
38 |
|
43 | |||
39 | class ZMQStreamHandler(websocket.WebSocketHandler): |
|
44 | class ZMQStreamHandler(websocket.WebSocketHandler): | |
40 |
|
45 | |||
|
46 | def same_origin(self): | |||
|
47 | """Check to see that origin and host match in the headers.""" | |||
|
48 | ||||
|
49 | # The difference between version 8 and 13 is that in 8 the | |||
|
50 | # client sends a "Sec-Websocket-Origin" header and in 13 it's | |||
|
51 | # simply "Origin". | |||
|
52 | if self.request.headers.get("Sec-WebSocket-Version") in ("7", "8"): | |||
|
53 | origin_header = self.request.headers.get("Sec-Websocket-Origin") | |||
|
54 | else: | |||
|
55 | origin_header = self.request.headers.get("Origin") | |||
|
56 | ||||
|
57 | host = self.request.headers.get("Host") | |||
|
58 | ||||
|
59 | # If no header is provided, assume we can't verify origin | |||
|
60 | if(origin_header is None or host is None): | |||
|
61 | return False | |||
|
62 | ||||
|
63 | parsed_origin = urlparse(origin_header) | |||
|
64 | origin = parsed_origin.netloc | |||
|
65 | ||||
|
66 | # Check to see that origin matches host directly, including ports | |||
|
67 | return origin == host | |||
|
68 | ||||
41 | def clear_cookie(self, *args, **kwargs): |
|
69 | def clear_cookie(self, *args, **kwargs): | |
42 | """meaningless for websockets""" |
|
70 | """meaningless for websockets""" | |
43 | pass |
|
71 | pass | |
@@ -86,6 +114,11 b' class ZMQStreamHandler(websocket.WebSocketHandler):' | |||||
86 | class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler): |
|
114 | class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler): | |
87 |
|
115 | |||
88 | def open(self, kernel_id): |
|
116 | def open(self, kernel_id): | |
|
117 | # Check to see that origin matches host directly, including ports | |||
|
118 | if not self.same_origin(): | |||
|
119 | self.log.warn("Cross Origin WebSocket Attempt.") | |||
|
120 | raise web.HTTPError(404) | |||
|
121 | ||||
89 | self.kernel_id = cast_unicode(kernel_id, 'ascii') |
|
122 | self.kernel_id = cast_unicode(kernel_id, 'ascii') | |
90 | self.session = Session(config=self.config) |
|
123 | self.session = Session(config=self.config) | |
91 | self.save_on_message = self.on_message |
|
124 | self.save_on_message = self.on_message | |
@@ -114,4 +147,4 b' class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler):' | |||||
114 | if self.get_current_user() is None: |
|
147 | if self.get_current_user() is None: | |
115 | self.log.warn("Couldn't authenticate WebSocket connection") |
|
148 | self.log.warn("Couldn't authenticate WebSocket connection") | |
116 | raise web.HTTPError(403) |
|
149 | raise web.HTTPError(403) | |
117 | self.on_message = self.save_on_message No newline at end of file |
|
150 | self.on_message = self.save_on_message |
General Comments 0
You need to be logged in to leave comments.
Login now