[ZCM] [ZC] 1191/ 1 Request "misplaced trust in Host header"
Collector: Zope Bugs, Features,
and Patches ...
zope-coders-admin at zope.org
Mon Jan 19 18:13:39 EST 2004
Issue #1191 Update (Request) "misplaced trust in Host header"
Status Pending, Zope/bug medium
To followup, visit:
http://collector.zope.org/Zope/1191
==============================================================
= Request - Entry #1 by leper on Jan 19, 2004 6:13 pm
Zope implicitly trusts the Host header from client requests, and uses its
value to construct the results from absolute_url(), and the URL*, BASE*,
and REQUESTPATH* HTTPRequest object variables. Unfortunately that behavior
allows malicious requests to poison server-side caches, tamper with log
files, and until recently posed a cross-site-scripting risk.
Ideally Zope would know which domains its responsible for and do something
sensible with requests for resources outside of its jurisdiction.
Several partial workarounds exist, but they tend to be problematic.
Using a VirtualHostMonster reduces the risk from malicious Host headers
provided the gateway server does host validation. Unfortunately VHMs
obtain their host data via the traversal stack, which can't be trusted
either, which leaves us somewhat screwed one way or the other.
References to bear in mind:
issue #813, where all this started
http://marc.theaimsgroup.com/?l=zope&m=104639584701163&w=2
http://marc.theaimsgroup.com/?l=zope&m=105433510519201&w=2 (important)
This bug is security related, but it should remain public (as should all bugs IMO.)
==============================================================
More information about the Zope-Collector-Monitor
mailing list