commit 10ad4c337949872669d2de3fdf87433bed00b6aa
parent 51a3687123713ad33ff210df997a18c998fca329
Author: Dan Stillman <dstillman@zotero.org>
Date: Thu, 13 Oct 2016 00:52:50 -0400
Check Host header in connector server to prevent DNS rebinding attack
https://twitter.com/FredericJacobs/status/786314822526742528
(The worst an attack could do at the moment is save items to the library, but
the connector server will likely do more in future.)
Diffstat:
1 file changed, 7 insertions(+), 0 deletions(-)
diff --git a/chrome/content/zotero/xpcom/server.js b/chrome/content/zotero/xpcom/server.js
@@ -237,6 +237,7 @@ Zotero.Server.DataListener.prototype._headerFinished = function() {
Zotero.debug(this.header, 5);
const methodRe = /^([A-Z]+) ([^ \r\n?]+)(\?[^ \r\n]+)?/;
+ const hostRe = /[\r\n]Host: *127\.0\.0\.1(:[0-9]+)?([^ \r\n]+)/i;
const contentTypeRe = /[\r\n]Content-Type: *([^ \r\n]+)/i;
if(!Zotero.isServer) {
@@ -251,6 +252,12 @@ Zotero.Server.DataListener.prototype._headerFinished = function() {
}
}
+ // Make sure the Host header is set to 127.0.0.1 to prevent DNS rebinding attacks
+ if (!hostRe.exec(this.header)) {
+ this._requestFinished(this._generateResponse(400, "text/plain", "Invalid Host header\n"));
+ return;
+ }
+
// get first line of request
var method = methodRe.exec(this.header);
// get content-type
