[
https://issues.apache.org/jira/browse/SHINDIG-133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12579680#action_12579680
]
Paul Lindner commented on SHINDIG-133:
--------------------------------------
You have to be really really careful with headers. Odd things can cause
problems like this:
http://securitytracker.com/alerts/2005/Jul/1014350.html
Also, one probably needs to correctly parse the Vary: header to insure that
dynamic content is properly cached.
> forwarding browser headers on remote content requests
> -----------------------------------------------------
>
> Key: SHINDIG-133
> URL: https://issues.apache.org/jira/browse/SHINDIG-133
> Project: Shindig
> Issue Type: Bug
> Components: Gadgets Server - Java
> Reporter: Brian Eaton
>
> There is some fairly dodgy code in ProxyHandler.java. If a GET request shows
> up at the server, nearly all of the headers sent from the browser are
> forwarded to the backend. This should be replaced with a white list of
> headers that are OK to copy out of the request.
> As an example of various things that are likely to go wrong with the current
> code:
> - cookies will be forwarded (and yes, I know gadgets shouldn't have cookies,
> but if they do we shouldn't leak them this way.)
> - some hop by hop headers will be forwarded
> There are probably other issues.
> Problem code is here:
> if ("POST".equals(method)) {
> ....
> } else {
> postBody = null;
> headers = new HashMap<String, List<String>>();
> Enumeration<String> headerNames = request.getHeaderNames();
> while (headerNames.hasMoreElements()) {
> String header = headerNames.nextElement();
> headers.put(header, Collections.list(request.getHeaders(header)));
> }
> }
> removeUnsafeHeaders(headers);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
