misplaced trust in Host header
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Zope 2 |
Invalid
|
Wishlist
|
Unassigned | ||
Bug Description
Zope implicitly trusts the Host header from client requests, and uses its
value to construct the results from absolute_url(), and the URL*, BASE*,
and REQUESTPATH* HTTPRequest object variables. Unfortunately that behavior
allows malicious requests to poison server-side caches, tamper with log
files, and until recently posed a cross-site-
Ideally Zope would know which domains its responsible for and do something
sensible with requests for resources outside of its jurisdiction.
Several partial workarounds exist, but they tend to be problematic.
Using a VirtualHostMonster reduces the risk from malicious Host headers
provided the gateway server does host validation. Unfortunately VHMs
obtain their host data via the traversal stack, which can't be trusted
either, which leaves us somewhat screwed one way or the other.
References to bear in mind:
issue #813, where all this started
http://
http://
This bug is security related, but it should remain public (as should all bugs IMO.)
| Tres Seaver (tseaver) wrote | #1 |
| Changed in zope2: | |
| importance: | Medium → Wishlist |
| status: | New → Triaged |
| Colin Watson (cjwatson) wrote | #2 |
| Changed in zope2: | |
| status: | Triaged → Invalid |
If it weren't for the allegation that this bug is security related, I would
WONTFIX it today.
I'm leaving it open in case somebody wants to propose some "tinfoil hat"
remediation, but there is effectively zero chance of any such patch landing
in Zope itself: it would likely break nearly every application deployed
today.