[
https://issues.apache.org/jira/browse/SHINDIG-133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12603252#action_12603252
]
Brian Eaton commented on SHINDIG-133:
-------------------------------------
We're also leaking cookies here. Gadgets aren't supposed to be setting
cookies, but leaking them is bad nonetheless.
> forwarding browser headers on remote content requests
> -----------------------------------------------------
>
> Key: SHINDIG-133
> URL: https://issues.apache.org/jira/browse/SHINDIG-133
> Project: Shindig
> Issue Type: Bug
> Components: Gadget Rendering Server (Java)
> Reporter: Brian Eaton
>
> There is some fairly dodgy code in ProxyHandler.java. If a GET request shows
> up at the server, nearly all of the headers sent from the browser are
> forwarded to the backend. This should be replaced with a white list of
> headers that are OK to copy out of the request.
> As an example of various things that are likely to go wrong with the current
> code:
> - cookies will be forwarded (and yes, I know gadgets shouldn't have cookies,
> but if they do we shouldn't leak them this way.)
> - some hop by hop headers will be forwarded
> There are probably other issues.
> Problem code is here:
> if ("POST".equals(method)) {
> ....
> } else {
> postBody = null;
> headers = new HashMap<String, List<String>>();
> Enumeration<String> headerNames = request.getHeaderNames();
> while (headerNames.hasMoreElements()) {
> String header = headerNames.nextElement();
> headers.put(header, Collections.list(request.getHeaders(header)));
> }
> }
> removeUnsafeHeaders(headers);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
