[Zope-dev] Client.py looses port? Bug?

Michel Pelletier michel@digicool.com
Fri, 10 Mar 2000 16:29:26 -0800 

I _think_ the problem is that ZServer builds SERVER_URL from the Host
header and other HTTP headers.  If the client reports these incorrectly,
then ZServer will get them wrong, even though ZServer knows what port
the request came in on.

This needs to be thought about (and obviously confirmed, I'm not
positive) what you may want to do is get one of those fancy HTTP
sniffers to see if ZClient requests are sending the port along with the
Host header.  If not, obviously ZClient should be fixed, but also maybe
we should consider ZServer inspecting the Host header to make sure it
jives with what port and host the request actually came in on (or at
least the port, I'm not sure if in a multi-hosting environment this
should be done).  I don't think this is a security problem, but it might
introduce some form of port spoofing we are unfamilar with or unware of.

-Michel

Loren Stafford wrote:
> 
> I've found that absolute_url does not return the port number when the
> request was created by client.py.
> 
> I may not have isolated the problem at the most detailed level, but here's
> one way to reproduce it. An object (zev3) in this case has two methods for
> the purposes of isolating this problem:
> 
>   def shoot(self, client=None, REQUEST=None, RESPONSE=None, **kw):
>     """Track down a problem in absolute_url()
>     """
>     from ZPubLisher import Client
>     import Loggerr
>     loggerr=Loggerr.loggerr
>     myurl=self.absolute_url()
>     emsg='Shoot: %s' % myurl
>     loggerr(100, emsg, detail='')
>     Client.call('%s/%s' % (myurl, 'show'))
> 
>   def show(self, client=None, REQUEST=None, RESPONSE=None, **kw):
>     """Track down a problem in absolute_url()
>     """
>     import Loggerr
>     loggerr=Loggerr.loggerr
>     emsg='Show: %s'% self.absolute_url()
>     loggerr(100, emsg, detail='')
> 
> Executing "show" by typing "http://127.0.0.1:8080/zev3/show" into the
> browser produces this log entry.
> 
> ------
> 2000-03-10T21:47:04 PROBLEM(100) Products.ZScheduler.Loggerr Show:
> http://127.0.
> 0.1:8080/zev3
> 
> Executing "show" by typing "http://127.0.0.1:8080/zev3/shoot" into the
> browser produces this log entry.
> 
> ------
> 2000-03-10T21:44:19 PROBLEM(100) Products.ZScheduler.Loggerr Shoot:
> http://127.0.0.1:8080/zev3
> ------
> 2000-03-10T21:44:19 PROBLEM(100) Products.ZScheduler.Loggerr Show:
> http://127.0.0.1/zev3
> 
> What happened with the port?
> 
> I'll try to track this down further, but I'm afraid the problem is in the
> depths of ZPublisher somewhere. Any hints would be appreciated.
> 
> -- Thanks
> -- Loren
> 
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )