[Zope-dev] Client.py looses port? Bug?
Loren Stafford
lstaffor@dynalogic.com
Sat, 11 Mar 2000 07:39:50 -0800
I don't have a fancy HTTP sniffer, but it's easy to trace Client.py. And
sure enough, it is stripping the port off the Host specification in two
places with the line:
headers['Host']=split(urlparse(url)[1],':')[0]
I've checked rfc2068, and I think it's pretty clear that the port must be
present in the Host header, so I think these two lines should read:
headers['Host']=urlparse(url)[1]
I'll file this with the Collector.
-- Loren
----- Original Message -----
From: Michel Pelletier <michel@digicool.com>
To: Loren Stafford <lstafford@icompression.com>
Cc: <zope-dev@zope.org>; <mj@digicool.com>
Sent: March 10, 2000 04:29 PM
Subject: Re: [Zope-dev] Client.py looses port? Bug?
> I _think_ the problem is that ZServer builds SERVER_URL from the Host
> header and other HTTP headers. If the client reports these incorrectly,
> then ZServer will get them wrong, even though ZServer knows what port
> the request came in on.
>
> This needs to be thought about (and obviously confirmed, I'm not
> positive) what you may want to do is get one of those fancy HTTP
> sniffers to see if ZClient requests are sending the port along with the
> Host header. If not, obviously ZClient should be fixed, but also maybe
> we should consider ZServer inspecting the Host header to make sure it
> jives with what port and host the request actually came in on (or at
> least the port, I'm not sure if in a multi-hosting environment this
> should be done). I don't think this is a security problem, but it might
> introduce some form of port spoofing we are unfamilar with or unware of.
>
> -Michel
>
> Loren Stafford wrote:
> >
> > I've found that absolute_url does not return the port number when the
> > request was created by client.py.
> >
> > I may not have isolated the problem at the most detailed level, but
here's
> > one way to reproduce it. An object (zev3) in this case has two methods
for
> > the purposes of isolating this problem:
> >
> > def shoot(self, client=None, REQUEST=None, RESPONSE=None, **kw):
> > """Track down a problem in absolute_url()
> > """
> > from ZPubLisher import Client
> > import Loggerr
> > loggerr=Loggerr.loggerr
> > myurl=self.absolute_url()
> > emsg='Shoot: %s' % myurl
> > loggerr(100, emsg, detail='')
> > Client.call('%s/%s' % (myurl, 'show'))
> >
> > def show(self, client=None, REQUEST=None, RESPONSE=None, **kw):
> > """Track down a problem in absolute_url()
> > """
> > import Loggerr
> > loggerr=Loggerr.loggerr
> > emsg='Show: %s'% self.absolute_url()
> > loggerr(100, emsg, detail='')
> >
> > Executing "show" by typing "http://127.0.0.1:8080/zev3/show" into the
> > browser produces this log entry.
> >
> > ------
> > 2000-03-10T21:47:04 PROBLEM(100) Products.ZScheduler.Loggerr Show:
> > http://127.0.
> > 0.1:8080/zev3
> >
> > Executing "show" by typing "http://127.0.0.1:8080/zev3/shoot" into the
> > browser produces this log entry.
> >
> > ------
> > 2000-03-10T21:44:19 PROBLEM(100) Products.ZScheduler.Loggerr Shoot:
> > http://127.0.0.1:8080/zev3
> > ------
> > 2000-03-10T21:44:19 PROBLEM(100) Products.ZScheduler.Loggerr Show:
> > http://127.0.0.1/zev3
> >
> > What happened with the port?
> >
> > I'll try to track this down further, but I'm afraid the problem is in
the
> > depths of ZPublisher somewhere. Any hints would be appreciated.
> >
> > -- Thanks
> > -- Loren
> >
> > _______________________________________________
> > Zope-Dev maillist - Zope-Dev@zope.org
> > http://lists.zope.org/mailman/listinfo/zope-dev
> > ** No cross posts or HTML encoding! **
> > (Related lists -
> > http://lists.zope.org/mailman/listinfo/zope-announce
> > http://lists.zope.org/mailman/listinfo/zope )
>
> _______________________________________________
> Zope-Dev maillist - Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://lists.zope.org/mailman/listinfo/zope-announce
> http://lists.zope.org/mailman/listinfo/zope )
>