Mercurial > libervia-web

view libervia/web/server/proxy.py @ 1598:86c7a3a625d5

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
server: always start a new session on connection: The session was kept when a user was connecting from service profile (but not from other profiles), this was leading to session fixation vulnerability (an attacker on the same machine could get service profile session cookie, and use it when a victim would log-in). This patch fixes it by always starting a new session on connection. fix 443
author Goffi <goffi@goffi.org>
date Fri, 23 Feb 2024 13:35:24 +0100
parents eb00d593801d
children
line wrap: on
line source

#!/usr/bin/env python3

# Libervia: a Salut à Toi frontend
# Copyright (C) 2011-2021 Jérôme Poisson <goffi@goffi.org>

# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.

# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
from twisted.web import proxy
from twisted.python.compat import urlquote
from twisted.internet import address
from libervia.backend.core.log import getLogger
from libervia.web.server.constants import Const as C

log = getLogger(__name__)



class SatProxyClient(proxy.ProxyClient):

    def handleHeader(self, key, value):
        if key.lower() == b"x-frame-options":
            value = b"sameorigin"
        elif key.lower() == b"content-security-policy":
            value = value.replace(b"frame-ancestors 'none'", b"frame-ancestors 'self'")

        super().handleHeader(key, value)


class SatProxyClientFactory(proxy.ProxyClientFactory):
    protocol = SatProxyClient


class SatReverseProxyResource(proxy.ReverseProxyResource):
    """Resource Proxy rewritting headers to allow embedding in iframe on same domain"""
    proxyClientFactoryClass = SatProxyClientFactory

    def getChild(self, path, request):
        return SatReverseProxyResource(
            self.host, self.port,
            self.path + b'/' + urlquote(path, safe=b"").encode('utf-8'),
            self.reactor
        )

    def render(self, request):
        # Forwarded and X-Forwarded-xxx headers can be set
        # if we have behind an other proxy
        if ((not request.getHeader(C.H_FORWARDED)
             and not request.getHeader(C.H_X_FORWARDED_HOST))):
            forwarded_data = []
            addr = request.getClientAddress()
            if ((isinstance(addr, address.IPv4Address)
                 or isinstance(addr, address.IPv6Address))):
                request.requestHeaders.setRawHeaders(C.H_X_FORWARDED_FOR, [addr.host])
                forwarded_data.append(f"for={addr.host}")
            host = request.getHeader("host")
            if host is None:
                port = request.getHost().port
                hostname = request.getRequestHostname()
                host = hostname if port in (80, 443) else f"{hostname}:{port}"
            request.requestHeaders.setRawHeaders(C.H_X_FORWARDED_HOST, [host])
            forwarded_data.append(f"host={host}")
            proto = "https" if request.isSecure() else "http"
            request.requestHeaders.setRawHeaders(C.H_X_FORWARDED_PROTO, [proto])
            forwarded_data.append(f"proto={proto}")
            request.requestHeaders.setRawHeaders(
                C.H_FORWARDED, [";".join(forwarded_data)]
            )

        return super().render(request)