Overview

File CVE-2014-3429-cross-domain.patch of Package IPython

Index: ipython-1.1.0/IPython/html/base/zmqhandlers.py
===================================================================
--- ipython-1.1.0.orig/IPython/html/base/zmqhandlers.py	2014-08-07 16:03:13.331603969 +0200
+++ ipython-1.1.0/IPython/html/base/zmqhandlers.py	2014-08-07 16:53:08.041133824 +0200
@@ -21,6 +21,11 @@
 from tornado import web
 from tornado import websocket
 
+try:
+    from urllib.parse import urlparse # Py3
+except ImportError:
+    from urlparse import urlparse # Py2
+
 from zmq.utils import jsonapi
 
 from IPython.kernel.zmq.session import Session
@@ -35,6 +40,29 @@
 
 class ZMQStreamHandler(websocket.WebSocketHandler):
     
+    def same_origin(self):
+        """Check to see that origin and host match in the headers."""
+
+        # The difference between version 8 and 13 is that in 8 the
+        # client sends a "Sec-Websocket-Origin" header and in 13 it's
+        # simply "Origin".
+        if self.request.headers.get("Sec-WebSocket-Version") in ("7", "8"):
+            origin_header = self.request.headers.get("Sec-Websocket-Origin")
+        else:
+            origin_header = self.request.headers.get("Origin")
+
+        host = self.request.headers.get("Host")
+
+        # If no header is provided, assume we can't verify origin
+        if(origin_header is None or host is None):
+            return False
+
+        parsed_origin = urlparse(origin_header)
+        origin = parsed_origin.netloc
+
+        # Check to see that origin matches host directly, including ports
+        return origin == host
+
     def clear_cookie(self, *args, **kwargs):
         """meaningless for websockets"""
         pass
@@ -83,6 +111,11 @@
 class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler):
 
     def open(self, kernel_id):
+        # Check to see that origin matches host directly, including ports
+        if not self.same_origin():
+            self.log.warn("Cross Origin WebSocket Attempt.")
+            raise web.HTTPError(404)
+
         self.kernel_id = cast_unicode(kernel_id, 'ascii')
         self.session = Session(config=self.config)
         self.save_on_message = self.on_message
@@ -111,4 +144,4 @@
         if self.get_current_user() is None:
             self.log.warn("Couldn't authenticate WebSocket connection")
             raise web.HTTPError(403)
-        self.on_message = self.save_on_message
\ No newline at end of file
+        self.on_message = self.save_on_message
openSUSE Build Service is sponsored by
Places