[Web-SIG] PEP 3333 URL Reconstruction poor security practice

Michael Gratton mike at vee.net
Fri Jan 3 08:27:43 CET 2014


I couldn't find discussion of this in the archives, but it seems that
the URL Reconstruction section in PEP 3333 is recommending poor practice.

The issue is the suggested use of the HTTP Host header. Since this value
is client-supplied, a malicious user could craft an exploit in
applications that use this algorithm for cache poisoning, cross-site
scripting (XSS) and possibly other attacks. Consider two examples:

  Host: <script>alert('XSS')</script>
  Host: evil.com

The value of the header can be URL-encoded, i.e.:

  url += quote(environ['HTTP_HOST'])

However this helps only for the first case, but not the second. Hence it
really should not be used at all.

Depending on the WSGI server implementation, there might be an argument
to URL-encode the SERVER_NAME value, as well.


⊨ Michael Gratton, Percept Wrangler.
⚙ <http://mjog.vee.net/>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://mail.python.org/pipermail/web-sig/attachments/20140103/1bcf5e5c/attachment.sig>

More information about the Web-SIG mailing list