-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide a host
application setting
#3205
Comments
What exactly do you mean by "HTTP Host header vulnerability"? Is it the same as DNS rebinding, discussed in #2256, or is there something more? The docs added in https://github.com/tornadoweb/tornado/pull/2297/files show the two current methods for validating the |
When an app accepts requests for wildcard hosts, an attacker can send their own controlled domain in the For example, an attacker can initiate a password reset for any user and pass their own controlled domain via the
Your app will construct the full url with the attacker's supplied domain name and send the link to the victim in an email. When the victim visits that link, they are taken to the attackers website which can capture the token from the URL. This only happens when the app accepts wildcard domains.
IDK, but adding handlers via the Application constructor has become the de-facto way. Literally hundreds of tutorials across the web show it that way. A If not, then either the examples in the docs should be changed, or some sort of warning must be added. Fortunately, I've been running Tornado behind Nginx so it hasn't been a problem for me. But apps hosted on PaaS platforms will be vulnerable. |
It seems to me that the vulnerability here is not in the fact that the server accepts requests with unknown host headers, but that the app generates password reset links (or other URLs) with unverified client-supplied data. And this is still tornado's fault, but I'd place the blame on the I think what we need is some sort of flag that is set on |
For allowing multiple hosts, we can take ideas from Django's But instead of a list, it could be a regex so that it readily works with the Something like: So:
|
Hmm, an On the other hand, a multi-valued I'll think about this some more, and how it might relate to changes to |
Could use UFW. deny and allow you want. |
I'm not very familiar with UFW but I don't see how it could be used here. Note that the problem here relates primarily to the HTTP |
The docs, and almost every Tornado code example on the internet adds handlers to an
Application
via thehandlers
argument to the constructor. That means the application accepts requests for any host.But listening to wildcard hosts is vulnerable to HTTP Host header vulnerability.
Please provide a new app setting called
host
which, if set, will be used to match all incoming requests.The text was updated successfully, but these errors were encountered: