File CVE-2014-3429-cross-domain.patch of Package IPython
Index: ipython-1.1.0/IPython/html/base/zmqhandlers.py
===================================================================
--- ipython-1.1.0.orig/IPython/html/base/zmqhandlers.py 2014-08-07 16:03:13.331603969 +0200
+++ ipython-1.1.0/IPython/html/base/zmqhandlers.py 2014-08-07 16:53:08.041133824 +0200
@@ -21,6 +21,11 @@
from tornado import web
from tornado import websocket
+try:
+ from urllib.parse import urlparse # Py3
+except ImportError:
+ from urlparse import urlparse # Py2
+
from zmq.utils import jsonapi
from IPython.kernel.zmq.session import Session
@@ -35,6 +40,29 @@
class ZMQStreamHandler(websocket.WebSocketHandler):
+ def same_origin(self):
+ """Check to see that origin and host match in the headers."""
+
+ # The difference between version 8 and 13 is that in 8 the
+ # client sends a "Sec-Websocket-Origin" header and in 13 it's
+ # simply "Origin".
+ if self.request.headers.get("Sec-WebSocket-Version") in ("7", "8"):
+ origin_header = self.request.headers.get("Sec-Websocket-Origin")
+ else:
+ origin_header = self.request.headers.get("Origin")
+
+ host = self.request.headers.get("Host")
+
+ # If no header is provided, assume we can't verify origin
+ if(origin_header is None or host is None):
+ return False
+
+ parsed_origin = urlparse(origin_header)
+ origin = parsed_origin.netloc
+
+ # Check to see that origin matches host directly, including ports
+ return origin == host
+
def clear_cookie(self, *args, **kwargs):
"""meaningless for websockets"""
pass
@@ -83,6 +111,11 @@
class AuthenticatedZMQStreamHandler(ZMQStreamHandler, IPythonHandler):
def open(self, kernel_id):
+ # Check to see that origin matches host directly, including ports
+ if not self.same_origin():
+ self.log.warn("Cross Origin WebSocket Attempt.")
+ raise web.HTTPError(404)
+
self.kernel_id = cast_unicode(kernel_id, 'ascii')
self.session = Session(config=self.config)
self.save_on_message = self.on_message
@@ -111,4 +144,4 @@
if self.get_current_user() is None:
self.log.warn("Couldn't authenticate WebSocket connection")
raise web.HTTPError(403)
- self.on_message = self.save_on_message
\ No newline at end of file
+ self.on_message = self.save_on_message