The current code is pulling headers directly out of the HTTP request sent from the client and forwarding them on. That's just broken.
At some point we should worry about what HTTP headers to allow when gadgets intentionally ask to forward headers. In the meantime we should stop forwarding headers that gadget's didn't ask us to forward in the first place. On Mon, Mar 17, 2008 at 11:21 AM, John Panzer <[EMAIL PROTECTED]> wrote: > Problem: Whitelisting headers will inevitably miss some (Slug:?) > which some gadget will need somewhere. > > Same issue that the W3C is struggling with over cross-site requests > for browsers. Possibly that discussion has come up with a good > blacklist... > > I know that black lists aren't good security, but... > > > > On Mon, Mar 17, 2008 at 5:49 AM, Brian Eaton (JIRA) <[EMAIL PROTECTED]> > wrote: > > forwarding browser headers on remote content requests > > ----------------------------------------------------- > > > > Key: SHINDIG-133 > > URL: https://issues.apache.org/jira/browse/SHINDIG-133 > > Project: Shindig > > Issue Type: Bug > > Components: Gadgets Server - Java > > Reporter: Brian Eaton > > > > > > There is some fairly dodgy code in ProxyHandler.java. If a GET request > shows up at the server, nearly all of the headers sent from the browser are > forwarded to the backend. This should be replaced with a white list of > headers that are OK to copy out of the request. > > > > As an example of various things that are likely to go wrong with the > current code: > > - cookies will be forwarded (and yes, I know gadgets shouldn't have > cookies, but if they do we shouldn't leak them this way.) > > - some hop by hop headers will be forwarded > > > > There are probably other issues. > > > > Problem code is here: > > > > if ("POST".equals(method)) { > > .... > > } else { > > postBody = null; > > headers = new HashMap<String, List<String>>(); > > Enumeration<String> headerNames = request.getHeaderNames(); > > while (headerNames.hasMoreElements()) { > > String header = headerNames.nextElement(); > > headers.put(header, > Collections.list(request.getHeaders(header))); > > } > > } > > > > removeUnsafeHeaders(headers); > > > > > > -- > > This message is automatically generated by JIRA. > > - > > You can reply to this email to add a comment to the issue online. > > > > >
