Oliver Bleutgen wrote:
Jamie Heilman wrote:
Now, while I think a new header is a good stop-gap I don't think its a permanent solution. The probablem of no canonical host name is still source of pain in zope
Could you elaborate that a little bit? Are you referring to what is talked about in 813 or is there something else?
Yep, 813 is a two pronged problem. The first prong are the cross-site scripting vulnerabilties due to poor contextual escaping. Thats what what my patch tackles. The second prong is the issue of zope's decision to always trust the client provided hostname. That problem hasn't been solved yet, the workarounds I mentioned in 813 are no longer adequate as they depend on the VHM which obtains its information from an untrustworthy source. The only workaround for the cross site scripting issue is to patch zope. The problem of client provided hostnames is only a problem if you use caching and your cache doesn't use the hostname as a cache key. If your cache allows you to add the hostname to the cache key then you're safe - provided that doesn't open your cache up to abuse. (see my previous posting about caching) Cache users should be aware that adding hostname alone isn't enough, to prevent poisoning the path info should also be added to the key as VHMs combined with type coercion let untrusted users change that too, and possibly the protocol... though I haven't dug that far into it yet to see just how much can be exploited by beating up a VHM. -- Jamie Heilman http://audible.transient.net/~jamie/ "I was in love once -- a Sinclair ZX-81. People said, "No, Holly, she's not for you." She was cheap, she was stupid and she wouldn't load -- well, not for me, anyway." -Holly