[Twisted-web] Preventing XSS when using Nevow's vhost functionality

David Reid dreid at dreid.org
Wed Oct 19 17:42:54 MDT 2005

On Oct 19, 2005, at 4:29 PM, Jason Mobarak wrote:
> So pageWithAttackJS.js would more likely be liveglue.js?

Perhaps, but I don't think liveglue.js is a hardcoded relative link.

> I don't quite understand why this works.  If the first two segments  
> of the vhost request are the protocol and the host why isn't it the  
> case that these segments are consumed, the URL is re-written to:
> http://foo.bar/vhost/http/google.com
> ...and it fails because foo.bar doesn't exist?  Why are the  
> segments still consumed after this point, or...?

Because the point of VHostMonsterResource is so that the application  
doesn't need to know the url it's actually being accessed from in a  
ProxyPass situation.  In a real world example you'd trick the user to  
go to http://foo.bar/vhost/http/google.com/ and the user would, the  
apache server at foo.bar would foward the request to http://localhost: 
8080/vhost/http/foo.bar/vhost/http/google.com/  so the above multiple  
calls happen and the final request consists of a host being set to  
google.com.  There just isn't any implementation for it to fail  
because foo.bar doesn't exist.  The jist is, VHostMonsterResources  
flaws are numerous and inherent.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-web/attachments/20051019/d3335958/attachment.htm

More information about the Twisted-web mailing list