mirrors/zotero
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Check Host header in connector server to prevent DNS rebinding attack

Browse source 
https://twitter.com/FredericJacobs/status/786314822526742528

(The worst an attack could do at the moment is save items to the library, but
the connector server will likely do more in future.)
This commit is contained in:
Dan Stillman 2016-10-13 00:52:50 -04:00
parent 51a3687123
commit 10ad4c3379
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
chrome/content/zotero/xpcom/server.js
View file

@ -237,6 +237,7 @@ Zotero.Server.DataListener.prototype._headerFinished = function() {
Zotero.debug(this.header, 5); Zotero.debug(this.header, 5);
const methodRe = /^([A-Z]+) ([^ \r\n?]+)(\?[^ \r\n]+)?/; const methodRe = /^([A-Z]+) ([^ \r\n?]+)(\?[^ \r\n]+)?/;
const hostRe = /[\r\n]Host: *127\.0\.0\.1(:[0-9]+)?([^ \r\n]+)/i;
const contentTypeRe = /[\r\n]Content-Type: *([^ \r\n]+)/i; const contentTypeRe = /[\r\n]Content-Type: *([^ \r\n]+)/i;
if(!Zotero.isServer) { if(!Zotero.isServer) {
@ -251,6 +252,12 @@ Zotero.Server.DataListener.prototype._headerFinished = function() {
} }
} }
// Make sure the Host header is set to 127.0.0.1 to prevent DNS rebinding attacks
if (!hostRe.exec(this.header)) {
this._requestFinished(this._generateResponse(400, "text/plain", "Invalid Host header\n"));
return;
}
// get first line of request // get first line of request
var method = methodRe.exec(this.header); var method = methodRe.exec(this.header);
// get content-type // get content-type