@@ -15,21 +15,26 @@ response:
1515 Not checking `url ` will allow another evil website administrator to replay
1616 responses produced by Raven log-ins to her website to yours, thereby
1717 impersonating someone else.
18+ (Using params as a token (below) doesn't help, since the attacker can
19+ obtain a matching `(cookie, params) ` pair from you first, and then ask
20+ the victim to authenticate with `params ` set to that value.)
1821
1922 Some frameworks, notably Werkzeug, deduce the current hostname from
2023 the `Host ` or `X-Forwarded-Host ` headers (with the latter taking
21- precedence). If you are not checking the `Host ` header / doing virtual
22- hosting *and * wiping the `X-Forwarded-Host ` header in your web server,
23- you need to check the host against a whitelist in your application.
24+ precedence).
25+
26+ .. seealso ::
27+ `werkzeug#609 <https://github.com/mitsuhiko/werkzeug/issues/609 >`_ and
28+ `issue 5 <https://github.com/danielrichman/python-raven/issues/5 >`_
2429
25- This may be used to whitelist domains in Flask::
30+ This technique may be used to whitelist domains in Flask::
2631
2732 class R(flask.Request):
2833 trusted_hosts = {'www.danielrichman.co.uk'}
2934 app.request_class = R
3035
31- You may forgo checking ` url ` * if * you instead use a token in ` params `
32- as described below .
36+ Alternatively, you could sanitise ` Host ` and ` X-Forwarded-Host ` in your
37+ web-server .
3338
3439* check `issue ` is within an acceptable range of *now *
3540
@@ -45,25 +50,24 @@ response:
4550Using params as a token
4651-----------------------
4752
48- If checking `url ` (above) is a pain, you could:
53+ You might like to set a random nonce in the Request's `params `, save
54+ a hashed (with secret salt) or signed copy in a cookie, and check that they
55+ match in the `Response `.
4956
50- * generate a random string just before you redirect to Raven
51- * set a cookie on the client with that string
52- * include that string as `params ` in the :class: `ucam_webauth.Request `
53- * check that they match in the :class: `ucam_webauth.Response `
57+ This is *not * a substitute for any of the checks above, but does make the
58+ `WLS-Response ` values in your web server access logs useless.
5459
55- The principle is similar to that of an CSRF token for submitting forms.
56-
57- This is what :class: `ucam_webauth.flask_glue.AuthDecorator ` does.
60+ :class: `ucam_webauth.flask_glue.AuthDecorator ` does this.
5861
5962Signing keys
6063------------
6164
6265The keys used by Raven to sign responses are included with `python-raven `.
6366I took care in retrieving them, however you should trust neither me nor the
6467method by which you installed this package.
65- **You should check that the copies of the certificates you have are
66- correct / match the files at the links below **.
68+ *You should check that the copies of the certificates you have are
69+ correct / match the files at the links below * (and audit the code you've
70+ just installed, I guess).
6771
6872* ``pubkey2 `` from `<https://raven.cam.ac.uk/project/keys/ >`_
6973* ``pubkey901 `` from `<https://raven.cam.ac.uk/project/keys/demo_server/ >`_
0 commit comments