[tahoe-lafs-trac-stream] [tahoe-lafs] #1861: redirects in tahoe should not point to other origins
tahoe-lafs
trac at tahoe-lafs.org
Sat Sep 14 17:38:18 UTC 2013
#1861: redirects in tahoe should not point to other origins
--------------------------+------------------------------------------------
Reporter: | Owner: davidsarah
ChosenOne | Status: assigned
Type: | Milestone: undecided
enhancement | Version: 1.9.2
Priority: normal | Keywords: webapi same-origin redirect websec
Component: code- |
frontend-web |
Resolution: |
Launchpad Bug: |
--------------------------+------------------------------------------------
Changes (by zooko):
* keywords: webapi same-origin redirect => webapi same-origin redirect
websec
Old description:
> From what I see in unlinked.py (https://tahoe-lafs.org/trac/tahoe-
> lafs/browser/trunk/src/allmydata/web/unlinked.py), most redirects could
> be filtered to only start with the protocol, domain and port of the web
> UI. I suppose this is non-trivial, but might be extracted from the HTTP
> request's Host header
>
> The current redirection does not pose a severe risk, but it might at
> least prevent social engineering attacks in which a URL that starts with
> the tahoe's gw address wounds up on a completely different web page.
New description:
From what I see in unlinked.py (https://tahoe-lafs.org/trac/tahoe-
lafs/browser/trunk/src/allmydata/web/unlinked.py), most redirects could be
filtered to only start with the protocol, domain and port of the web UI. I
suppose this is non-trivial, but might be extracted from the HTTP
request's Host header
The current redirection does not pose a severe risk, but it might at least
prevent social engineering attacks in which a URL that starts with the
tahoe's gw address wounds up on a completely different web page.
--
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1861#comment:3>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list