forwarding browser headers on remote content requests
-----------------------------------------------------
Key: SHINDIG-133
URL: https://issues.apache.org/jira/browse/SHINDIG-133
Project: Shindig
Issue Type: Bug
Components: Gadgets Server - Java
Reporter: Brian Eaton
There is some fairly dodgy code in ProxyHandler.java. If a GET request shows
up at the server, nearly all of the headers sent from the browser are forwarded
to the backend. This should be replaced with a white list of headers that are
OK to copy out of the request.
As an example of various things that are likely to go wrong with the current
code:
- cookies will be forwarded (and yes, I know gadgets shouldn't have cookies,
but if they do we shouldn't leak them this way.)
- some hop by hop headers will be forwarded
There are probably other issues.
Problem code is here:
if ("POST".equals(method)) {
....
} else {
postBody = null;
headers = new HashMap<String, List<String>>();
Enumeration<String> headerNames = request.getHeaderNames();
while (headerNames.hasMoreElements()) {
String header = headerNames.nextElement();
headers.put(header, Collections.list(request.getHeaders(header)));
}
}
removeUnsafeHeaders(headers);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
