Defuse a "Host:" header attack
38c83ef846c1
Actions

Authored by epriestley <git@epriestley.com> on Oct 22 2012, 19:49.

Description

Defuse a "Host:" header attack

Summary:
Django released a security update recently dealing with malicious "Host" headers:

We're vulnerable to the same attack. Plug the hole.

The risk here is that an attacker does something like this:

Register "evil.com".
Point it at secure.phabricator.com in DNS.
Send a legitimate user a link to "secure.phabricator.com:ignored@evil.com".
They login and get cookies. Normally Phabricator refuses to set cookies on domains it does not recognize.
The attacker now points "evil.com" at his own servers and reads the auth cookies on the next request.

Test Plan: Unit tests.

Reviewers: vrana, btrahan

Reviewed By: vrana

CC: aran

Committed

epriestley <git@epriestley.com>

Oct 22 2012, 19:49

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH96b5d0e74a92: Generate Releeph GLYPHICON

Branches

Unknown

Tags

Unknown

epriestley <git@epriestley.com> committed rPH38c83ef846c1: Defuse a "Host:" header attack (authored by epriestley <git@epriestley.com>).Oct 22 2012, 19:49

				Path
	M			src/aphront/AphrontRequest.php
	M			src/aphront/__tests__/AphrontRequestTestCase.php