[Twisted-web] Preventing XSS when using Nevow's vhost functionality

David Reid dreid at dreid.org
Wed Oct 19 17:52:28 MDT 2005

On Oct 19, 2005, at 4:39 PM, David Remahl wrote:
> I'm not familiar with web2.vhost.VHostURIRewrite, but will check it  
> out..."Configuration time", you say. I assume that means at the  
> start of the handling of a request, not when the application is set  
> up and configured? If so, that sounds like a good solution in many  
> cases.

In fact configuration time does mean in the .tac.  You create a  
vhost.VHostURIRewrite resource like so:

    root = vhost.VHostURIRewrite(uri='http://host:port/path',  

There is also a AutoVHostURIRewrite which makes use of x-app-scheme,  
x-forwarded-host, x-app-location, and x-forwarded-for headers to  
determine the real hostname port path etc and also the client ip  
address.  I'm fairly sure this isn't vulnerable to a similar attack  
as VHostMonsterResource but I haven't done an extensive audit of that  
particular code.

> Only allowing a single "invocation" of the monster resource is  
> insufficient in certain situations, namely when http:// 
> internalserver:1234/ is accessible from the outside and not  
> _exclusively_ by the reverse proxy. This might also be a problem  
> with the VHostURIRewrite approach?

It would be a problem with AutoVHostURIRewrite but not a problem with  
VHostURIRewrite, because VHostURIRewrite would mangle the request  
unconditionally and if the client clicked an absolute link would end  
up at the proper location anyway.   This unconditional mangling might  
have other implications if internalserver:1234 is accessible from  
outside but in my opinion that's just more of a reason to not have  
that kind of configuration.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-web/attachments/20051019/c5e60e62/attachment.htm

More information about the Twisted-web mailing list