upstream/ipython Commit - r17898:f1b046e7

Merge pull request from minrk/origin-check-no-proto...

Min RK -

r17898:f1b046e7

parent child

IPython/html/base/zmqhandlers.py

0 +16 -7

                      host = self.request.headers.get("Host")
                      # If no header is provided, assume we can't verify origin
-                     if(origin is None or host is None):
+                     if origin is None:
+                         self.log.warn("Missing Origin header, rejecting WebSocket connection.")
+                         return False
+                     if host is None:
+                         self.log.warn("Missing Host header, rejecting WebSocket connection.")
                          return False
-                     host_origin = "{0}://{1}".format(self.request.protocol, host)
+                     origin = origin.lower()
+                     origin_host = urlparse(origin).netloc
                      # OK if origin matches host
-                     if origin == host_origin:
+                     if origin_host == host:
                          return True
                      # Check CORS headers
                      if self.allow_origin:
-                         return self.allow_origin == origin
+                         allow = self.allow_origin == origin
                      elif self.allow_origin_pat:
-                         return bool(self.allow_origin_pat.match(origin))
+                         allow = bool(self.allow_origin_pat.match(origin))
                      else:
                          # No CORS headers deny the request
-                         return False
+                         allow = False
+                     if not allow:
+                         self.log.warn("Blocking Cross Origin WebSocket Attempt.  Origin: %s, Host: %s",
+                             origin, host,
+                         )
+                     return allow
                  def clear_cookie(self, *args, **kwargs):
                      """meaningless for websockets"""
                      # Tornado 4 already does CORS checking
                      if tornado.version_info[0] < 4:
                          if not self.check_origin(self.get_origin()):
-                             self.log.warn("Cross Origin WebSocket Attempt from %s", self.get_origin())
                              raise web.HTTPError(403)
                      self.session = Session(config=self.config)

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages