dijxtra wrote: > Is it safe to use HttpResponseRedirect(request.META["HTTP_REFERER"])? > Can a session be stolen using this coed by spoofing HTTP_REFERER?
Two things stand out to me: 1) HTTP_REFERER is not a required header, so if the browser doesn't send it, your code won't do what you expect. I'd use DEFAULT_URL = 'http://example.com/wherever/' destination = request.META.get('HTTP_REFERER', DEFAULT_URL) People strip it out for privacy, spoof it intentionally, and not all proxy servers forward the HTTP_REFERER (or do it correctly). It's user-originated data, so not to be trusted. :) 2) while it's not session-stealing, it might be possible for an attacker to set up phishing sites that look like your site that can be directed through your page. It might be possible to have this information leaked to the phishing site(I'd look first at sensitive information in the GET parameters) if they're redirected back to the phishing site. As such, I'd have my code assert that the destination begins with the expected URL prefix, something like MY_BASE_URL = 'http://example.com/' # trailing slash important if destination.startswith(MY_BASE_URL): return HttpResponseRedirect(destination) else: return handle_spoofed_http_referer(destination) I don't believe it can be used to steal a session unless there are other pages on your domain that you don't trust :) This would be a scenario something like http://example.com/mysite/ http://example.com/evil_site/ If that's the case, get a better host that doesn't house malevolent characters in a shared domain :) I believe session information is usually stored in cookies (whether database backed, or signed-cookie-content backed), and browsers shouldn't send cookies to the wrong domain. So it boils down to basic common-sense internet cautions: 1) don't trust it, but use it for convenience after validating it 2) don't put sensitive information in your GET params 3) do host on a decent provider that doesn't do stupid stuff There might be other issues, but they've neither crossed my radar before, nor turned up in a short google regarding HTTP_REFERER security issues. -tim --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Django users" group. To post to this group, send email to django-users@googlegroups.com To unsubscribe from this group, send email to django-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/django-users?hl=en -~----------~----~----~----~------~----~------~--~---
