On Mon, Mar 17, 2008 at 12:18 PM, Brian Eaton <[EMAIL PROTECTED]> wrote:
> The current code is pulling headers directly out of the HTTP request > sent from the client and forwarding them on. That's just broken. Not quite -- it removes a few (though not nearly enough) We should probably do this: - Establish a whitelist for "normal" headers. - Establish a blacklist of X- headers (X-Forwarded-For, for instance). At some point we should worry about what HTTP headers to allow when > gadgets intentionally ask to forward headers. In the meantime we > should stop forwarding headers that gadget's didn't ask us to forward > in the first place. There's a problem here in that this is a proxy. Certain headers must be forwarded so that the end user can actually understand the response, especially for things like images. > > On Mon, Mar 17, 2008 at 11:21 AM, John Panzer <[EMAIL PROTECTED]> wrote: > > Problem: Whitelisting headers will inevitably miss some (Slug:?) > > which some gadget will need somewhere. > > > > Same issue that the W3C is struggling with over cross-site requests > > for browsers. Possibly that discussion has come up with a good > > blacklist... > > > > I know that black lists aren't good security, but... > > > > > > > > On Mon, Mar 17, 2008 at 5:49 AM, Brian Eaton (JIRA) <[EMAIL PROTECTED]> > wrote: > > > forwarding browser headers on remote content requests > > > ----------------------------------------------------- > > > > > > Key: SHINDIG-133 > > > URL: > https://issues.apache.org/jira/browse/SHINDIG-133 > > > Project: Shindig > > > Issue Type: Bug > > > Components: Gadgets Server - Java > > > Reporter: Brian Eaton > > > > > > > > > There is some fairly dodgy code in ProxyHandler.java. If a GET > request shows up at the server, nearly all of the headers sent from the > browser are forwarded to the backend. This should be replaced with a white > list of headers that are OK to copy out of the request. > > > > > > As an example of various things that are likely to go wrong with the > current code: > > > - cookies will be forwarded (and yes, I know gadgets shouldn't have > cookies, but if they do we shouldn't leak them this way.) > > > - some hop by hop headers will be forwarded > > > > > > There are probably other issues. > > > > > > Problem code is here: > > > > > > if ("POST".equals(method)) { > > > .... > > > } else { > > > postBody = null; > > > headers = new HashMap<String, List<String>>(); > > > Enumeration<String> headerNames = request.getHeaderNames(); > > > while (headerNames.hasMoreElements()) { > > > String header = headerNames.nextElement(); > > > headers.put(header, Collections.list(request.getHeaders > (header))); > > > } > > > } > > > > > > removeUnsafeHeaders(headers); > > > > > > > > > -- > > > This message is automatically generated by JIRA. > > > - > > > You can reply to this email to add a comment to the issue online. > > > > > > > > > -- ~Kevin
