From mike at vee.net Fri Jan 3 08:27:43 2014 From: mike at vee.net (Michael Gratton) Date: Fri, 03 Jan 2014 18:27:43 +1100 Subject: [Web-SIG] PEP 3333 URL Reconstruction poor security practice Message-ID: <52C6666F.5080308@vee.net> Hi, I couldn't find discussion of this in the archives, but it seems that the URL Reconstruction section in PEP 3333 is recommending poor practice. The issue is the suggested use of the HTTP Host header. Since this value is client-supplied, a malicious user could craft an exploit in applications that use this algorithm for cache poisoning, cross-site scripting (XSS) and possibly other attacks. Consider two examples: Host: Host: evil.com The value of the header can be URL-encoded, i.e.: url += quote(environ['HTTP_HOST']) However this helps only for the first case, but not the second. Hence it really should not be used at all. Depending on the WSGI server implementation, there might be an argument to URL-encode the SERVER_NAME value, as well. //Mike -- ? Michael Gratton, Percept Wrangler. ? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 263 bytes Desc: OpenPGP digital signature URL: