##// END OF EJS Templates
Merge pull request #6480 from minrk/origin-check-no-proto...
Min RK -
r17898:f1b046e7 merge
parent child Browse files
Show More
@@ -42,23 +42,33 b' class ZMQStreamHandler(websocket.WebSocketHandler):'
42 host = self.request.headers.get("Host")
42 host = self.request.headers.get("Host")
43
43
44 # If no header is provided, assume we can't verify origin
44 # If no header is provided, assume we can't verify origin
45 if(origin is None or host is None):
45 if origin is None:
46 self.log.warn("Missing Origin header, rejecting WebSocket connection.")
47 return False
48 if host is None:
49 self.log.warn("Missing Host header, rejecting WebSocket connection.")
46 return False
50 return False
47
51
48 host_origin = "{0}://{1}".format(self.request.protocol, host)
52 origin = origin.lower()
53 origin_host = urlparse(origin).netloc
49
54
50 # OK if origin matches host
55 # OK if origin matches host
51 if origin == host_origin:
56 if origin_host == host:
52 return True
57 return True
53
58
54 # Check CORS headers
59 # Check CORS headers
55 if self.allow_origin:
60 if self.allow_origin:
56 return self.allow_origin == origin
61 allow = self.allow_origin == origin
57 elif self.allow_origin_pat:
62 elif self.allow_origin_pat:
58 return bool(self.allow_origin_pat.match(origin))
63 allow = bool(self.allow_origin_pat.match(origin))
59 else:
64 else:
60 # No CORS headers deny the request
65 # No CORS headers deny the request
61 return False
66 allow = False
67 if not allow:
68 self.log.warn("Blocking Cross Origin WebSocket Attempt. Origin: %s, Host: %s",
69 origin, host,
70 )
71 return allow
62
72
63 def clear_cookie(self, *args, **kwargs):
73 def clear_cookie(self, *args, **kwargs):
64 """meaningless for websockets"""
74 """meaningless for websockets"""
@@ -143,7 +153,6 b' class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler):'
143 # Tornado 4 already does CORS checking
153 # Tornado 4 already does CORS checking
144 if tornado.version_info[0] < 4:
154 if tornado.version_info[0] < 4:
145 if not self.check_origin(self.get_origin()):
155 if not self.check_origin(self.get_origin()):
146 self.log.warn("Cross Origin WebSocket Attempt from %s", self.get_origin())
147 raise web.HTTPError(403)
156 raise web.HTTPError(403)
148
157
149 self.session = Session(config=self.config)
158 self.session = Session(config=self.config)
General Comments 0
You need to be logged in to leave comments. Login now