upstream/ipython Commit - r14646:f15b821d

Add Origin Checking.

Kyle Kelley -

r14646:f15b821d

parent child

IPython/html/base/zmqhandlers.py

0 +28 0

@@ -17,6 +17,11 b' Authors:'
17	#-----------------------------------------------------------------------------	17	#-----------------------------------------------------------------------------
18		18
19	try:	19	try:
		20	from urllib.parse import urlparse
		21	except ImportError:
		22	from urlparse import urlparse
		23
		24	try:
20	from http.cookies import SimpleCookie # Py 3	25	from http.cookies import SimpleCookie # Py 3
21	except ImportError:	26	except ImportError:
22	from Cookie import SimpleCookie # Py 2	27	from Cookie import SimpleCookie # Py 2
@@ -37,6 +42,29 b' from .handlers import IPythonHandler'
37	#-----------------------------------------------------------------------------	42	#-----------------------------------------------------------------------------
38		43
39	class ZMQStreamHandler(websocket.WebSocketHandler):	44	class ZMQStreamHandler(websocket.WebSocketHandler):
		45
		46	def check_origin(self):
		47	"""Check origin from headers."""
		48	origin_header = self.request.headers["Origin"]
		49	host = self.request.headers["Host"]
		50
		51	parsed_origin = urlparse(origin_header)
		52	origin = parsed_origin.netloc
		53
		54	# Check to see that origin matches host directly, including ports
		55	if origin != host:
		56	self.log.critical("Cross Origin WebSocket Attempt.", exc_info=True)
		57	raise web.HTTPError(404)
		58
		59
		60	def _execute(self, transforms, args, *kwargs):
		61	"""Wrap all calls to make sure origin gets checked."""
		62
		63	# Check to see that origin matches host directly, including ports
		64	self.check_origin()
		65
		66	# Pass on the rest of the handling by the WebSocketHandler
		67	super(ZMQStreamHandler, self)._execute(transforms, args, *kwargs)
40		68
41	def clear_cookie(self, args, *kwargs):	69	def clear_cookie(self, args, *kwargs):
42	"""meaningless for websockets"""	70	"""meaningless for websockets"""

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages