From mike at vee.net Fri Jan 3 08:27:43 2014
From: mike at vee.net (Michael Gratton)
Date: Fri, 03 Jan 2014 18:27:43 +1100
Subject: [Web-SIG] PEP 3333 URL Reconstruction poor security practice
Message-ID: <52C6666F.5080308@vee.net>
Hi,
I couldn't find discussion of this in the archives, but it seems that
the URL Reconstruction section in PEP 3333 is recommending poor practice.
The issue is the suggested use of the HTTP Host header. Since this value
is client-supplied, a malicious user could craft an exploit in
applications that use this algorithm for cache poisoning, cross-site
scripting (XSS) and possibly other attacks. Consider two examples:
Host:
Host: evil.com
The value of the header can be URL-encoded, i.e.:
url += quote(environ['HTTP_HOST'])
However this helps only for the first case, but not the second. Hence it
really should not be used at all.
Depending on the WSGI server implementation, there might be an argument
to URL-encode the SERVER_NAME value, as well.
//Mike
--
? Michael Gratton, Percept Wrangler.
?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: