From 38cface138bb60c692ab22577eb685179d49382a Mon Sep 17 00:00:00 2001 From: Florian Mounier Date: Fri, 28 Feb 2014 18:59:49 +0100 Subject: [PATCH] Protect origin, it enhance a little bit security --- butterfly/__init__.py | 2 +- butterfly/routes.py | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/butterfly/__init__.py b/butterfly/__init__.py index db51ae0..b4106ac 100644 --- a/butterfly/__init__.py +++ b/butterfly/__init__.py @@ -14,7 +14,7 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -__version__ = '1.2.3' +__version__ = '1.2.4' import os diff --git a/butterfly/routes.py b/butterfly/routes.py index 66b9d07..f0296a2 100644 --- a/butterfly/routes.py +++ b/butterfly/routes.py @@ -180,6 +180,14 @@ class TermWebSocket(Route, tornado.websocket.WebSocketHandler): self.fd, self.shell_handler, ioloop.READ | ioloop.ERROR) def open(self, user, path): + if self.request.headers['Origin'] != 'http://%s' % ( + self.request.headers['Host']): + self.log.warning( + 'Unauthorized connection attempt: from : %s to: %s' % ( + self.request.headers['Origin'], + self.request.headers['Host'])) + self.close() + return self.socket = utils.Socket(self.ws_connection.stream.socket) self.set_nodelay(True) self.log.info('Websocket opened %r' % self.socket) @@ -208,6 +216,9 @@ class TermWebSocket(Route, tornado.websocket.WebSocketHandler): self.pty() def on_message(self, message): + if not hasattr(self, 'writer'): + self.close() + return if message[0] == 'R': cols, rows = map(int, message[1:].split(',')) s = struct.pack("HHHH", rows, cols, 0, 0)