Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Zope: Dev

Apache rewrite - HTTP_Host redirect issue

  

 
Zope dev RSS feed   Index | Next | Previous | View Threaded


dev at projekt01

Sep 15, 2009, 4:15 PM

Post #1 of 2 (239 views)
Permalink
Apache rewrite - HTTP_Host redirect issue
Hi Dan

I have an issue with the latest changes in
zope.publisher.http.py

The redirect method in HTTPResponse http.py line: 880
forces a ValueError. Because the Apache HTTP_HOST
and the target_host to not compare.

def redirect(self, location, status=None, trusted=False):
location = str(location)
if not trusted:
scheme, target_host, path, query, fragment = (
urlparse.urlsplit(location))
if target_host and target_host != self._request.get('HTTP_HOST'):
raise ValueError(
"Untrusted redirect to host %r not allowed." % target_host)

Apache uses <DOMAIN> in HTTP_HOST like expected
and the method used with urlparse.urlsplit(location)
returns <DOMAIN:PORT> as target_host value.

I'm not sure if this is an issue or a bad Apache rewrite
configuration.

As far as I see we should remove the PORT part from the
target_host value. right?

I'm not sure if remove the port info from the value
if this is contra productive for security. If so
what is the correct concept for make the Apache
rewrite work? I guess there is no way to support both.

btw, I'll run into this problem after a redirect during
authentication login form to the cameform url. This
should be reproducable by any other apache (port) rewrite setup.

Regards
Roger Ineichen
_____________________________
Projekt01 GmbH
www.projekt01.ch
Boesch 65
6331 Hünenberg
phone +41 (0)41 781 01 78
mobile +41 (0)79 340 52 32
fax +41 (0)41 781 00 78
email roger.ineichen[at]projekt01.ch
_____________________________
END OF MESSAGE

_______________________________________________
Zope-Dev maillist - Zope-Dev[at]zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope )


wichert at wiggy

Sep 15, 2009, 11:37 PM

Post #2 of 2 (212 views)
Permalink
Re: Apache rewrite - HTTP_Host redirect issue [In reply to]
On 2009-9-16 01:15, Roger Ineichen wrote:
> Hi Dan
>
> I have an issue with the latest changes in
> zope.publisher.http.py
>
> The redirect method in HTTPResponse http.py line: 880
> forces a ValueError. Because the Apache HTTP_HOST
> and the target_host to not compare.
>
> def redirect(self, location, status=None, trusted=False):
> location = str(location)
> if not trusted:
> scheme, target_host, path, query, fragment = (
> urlparse.urlsplit(location))
> if target_host and target_host != self._request.get('HTTP_HOST'):
> raise ValueError(
> "Untrusted redirect to host %r not allowed." % target_host)
>
> Apache uses<DOMAIN> in HTTP_HOST like expected
> and the method used with urlparse.urlsplit(location)
> returns<DOMAIN:PORT> as target_host value.

I suspect Apache does use DOMAIN:PORT if the port is a non-standard
port, ie http over anything other than port 80 or https over something
other than port 443.

Wichert.

--
Wichert Akkerman <wichert[at]wiggy.net> It is simple to make things.
http://www.wiggy.net/ It is hard to make things simple.
_______________________________________________
Zope-Dev maillist - Zope-Dev[at]zope.org
https://mail.zope.org/mailman/listinfo/zope-dev
** No cross posts or HTML encoding! **
(Related lists -
https://mail.zope.org/mailman/listinfo/zope-announce
https://mail.zope.org/mailman/listinfo/zope )

Zope dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.