Opened at 2012-11-15T11:18:57Z
Last modified at 2013-09-15T05:40:21Z
#1861 closed enhancement
redirects in tahoe should not point to other origins — at Version 3
| Reported by: | ChosenOne | Owned by: | davidsarah |
|---|---|---|---|
| Priority: | normal | Milestone: | undecided |
| Component: | code-frontend-web | Version: | 1.9.2 |
| Keywords: | webapi same-origin redirect websec | Cc: | |
| Launchpad Bug: |
Description (last modified by zooko)
From what I see in unlinked.py (https://tahoe-lafs.org/trac/tahoe-lafs/browser/trunk/src/allmydata/web/unlinked.py), most redirects could be filtered to only start with the protocol, domain and port of the web UI. I suppose this is non-trivial, but might be extracted from the HTTP request's Host header
The current redirection does not pose a severe risk, but it might at least prevent social engineering attacks in which a URL that starts with the tahoe's gw address wounds up on a completely different web page.
Change History (3)
comment:1 Changed at 2012-11-16T06:25:38Z by davidsarah
- Component changed from unknown to code-frontend-web
- Keywords webapi added
- Status changed from new to assigned
comment:2 Changed at 2012-12-11T22:29:25Z by davidsarah
- Keywords same-origin redirect added
comment:3 Changed at 2013-09-14T17:38:18Z by zooko
- Description modified (diff)
- Keywords websec added
Note: See
TracTickets for help on using
tickets.
