#1861 closed enhancement (wontfix)

redirects in tahoe should not point to other origins

Reported by: ChosenOne Owned by: ChosenOne
Priority: normal Milestone: undecided
Component: code-frontend-web Version: 1.9.2
Keywords: webapi same-origin redirect websec Cc:
Launchpad Bug:

Description (last modified by zooko)

From what I see in unlinked.py (https://tahoe-lafs.org/trac/tahoe-lafs/browser/trunk/src/allmydata/web/unlinked.py), most redirects could be filtered to only start with the protocol, domain and port of the web UI. I suppose this is non-trivial, but might be extracted from the HTTP request's Host header

The current redirection does not pose a severe risk, but it might at least prevent social engineering attacks in which a URL that starts with the tahoe's gw address wounds up on a completely different web page.

Change History (7)

comment:1 Changed at 2012-11-16T06:25:38Z by davidsarah

  • Component changed from unknown to code-frontend-web
  • Keywords webapi added
  • Status changed from new to assigned

comment:2 Changed at 2012-12-11T22:29:25Z by davidsarah

  • Keywords same-origin redirect added

comment:3 Changed at 2013-09-14T17:38:18Z by zooko

  • Description modified (diff)
  • Keywords websec added

comment:4 follow-up: Changed at 2013-09-14T22:39:00Z by daira

The redirects are intentionally relative (most of them; see #1928) in order to allow reverse proxies to work.

comment:5 in reply to: ↑ 4 Changed at 2013-09-14T23:00:38Z by zooko

  • Owner changed from davidsarah to ChosenOne
  • Status changed from assigned to new

Replying to daira:

The redirects are intentionally relative (most of them; see #1928) in order to allow reverse proxies to work.

So, I don't understand what ChosenOne's original issue was about. ChosenOne, daira: shall we close this ticket now?

comment:6 Changed at 2013-09-15T02:56:00Z by daira

If I understand correctly, the concern is with a kind of bounce attack. However bounce URLs are commonplace on the web, so I'm also not sure how much of a real attack this is.

comment:7 Changed at 2013-09-15T05:40:21Z by zooko

  • Resolution set to wontfix
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.