Opened at 2012-11-15T11:18:57Z
Closed at 2013-09-15T05:40:21Z
#1861 closed enhancement (wontfix)
redirects in tahoe should not point to other origins
| Reported by: | ChosenOne | Owned by: | ChosenOne |
|---|---|---|---|
| Priority: | normal | Milestone: | undecided |
| Component: | code-frontend-web | Version: | 1.9.2 |
| Keywords: | webapi same-origin redirect websec | Cc: | |
| Launchpad Bug: |
Description (last modified by zooko)
From what I see in unlinked.py (https://tahoe-lafs.org/trac/tahoe-lafs/browser/trunk/src/allmydata/web/unlinked.py), most redirects could be filtered to only start with the protocol, domain and port of the web UI. I suppose this is non-trivial, but might be extracted from the HTTP request's Host header
The current redirection does not pose a severe risk, but it might at least prevent social engineering attacks in which a URL that starts with the tahoe's gw address wounds up on a completely different web page.
Change History (7)
comment:1 Changed at 2012-11-16T06:25:38Z by davidsarah
- Component changed from unknown to code-frontend-web
- Keywords webapi added
- Status changed from new to assigned
comment:2 Changed at 2012-12-11T22:29:25Z by davidsarah
- Keywords same-origin redirect added
comment:3 Changed at 2013-09-14T17:38:18Z by zooko
- Description modified (diff)
- Keywords websec added
comment:4 follow-up: ↓ 5 Changed at 2013-09-14T22:39:00Z by daira
comment:5 in reply to: ↑ 4 Changed at 2013-09-14T23:00:38Z by zooko
- Owner changed from davidsarah to ChosenOne
- Status changed from assigned to new
comment:6 Changed at 2013-09-15T02:56:00Z by daira
If I understand correctly, the concern is with a kind of bounce attack. However bounce URLs are commonplace on the web, so I'm also not sure how much of a real attack this is.
comment:7 Changed at 2013-09-15T05:40:21Z by zooko
- Resolution set to wontfix
- Status changed from new to closed
The redirects are intentionally relative (most of them; see #1928) in order to allow reverse proxies to work.