-
-
Notifications
You must be signed in to change notification settings - Fork 954
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Host Header Attack: url_for()
should not trust unvalidated Host header
#1855
Comments
Here's a so far unanswered discussion topic that points another issue coming (I think) from the same problem: taking directly raw headers to generate url/redirect etc, without any chance to put some validation logic in-between: #1835 |
thus |
What was the idea behind making a full URL instead of only path part? |
@alex-oleshkevich sometimes you're rendering absolute url so it can be inserted into Emails/SMS. For API, rendering absolute URL can make it easier for clients to cache the result, either in full or just parts of the response, without requiring them to cache the base context URL or trying to resolve the relative URLs. This might not be that big of a problem if you only have one API domain, but clients that calls cross domain requests to many different APIs, and where the API often cross references other APIs as well, taking care of which relative URL belongs to which base URL is an extra unnecessary complexity. |
Discussed in #1854
Originally posted by lieryan September 9, 2022
This is somewhat related to ticket #843.
Currently,
url_for()
can be used to generate an absolute URL for a route and it uses Host header to do so. There is currently no validation in the value of the host header, which can be abused for some quite funky stuffs.This behavior is a security issue because it opens up the application to Host Header Attack.
You can fix this issue in your application by adding a TrustedHostMiddleware and setting
allowed_hosts=["yourdomain.com"]
, but I think most people aren't going to know that they must use TrustedHostMiddleware if they want to useurl_for()
securely.To reproduce:
And on the shell do (note the funky looking Host header):
Important
The text was updated successfully, but these errors were encountered: