Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Needs a mechanism to force https:// on redirect URLs #8

Closed
simonw opened this issue Feb 4, 2020 · 2 comments
Closed

Needs a mechanism to force https:// on redirect URLs #8

simonw opened this issue Feb 4, 2020 · 2 comments
Labels
bug

Comments

@simonw
Copy link
Owner

@simonw simonw commented Feb 4, 2020

This code here:

def url_from_scope(scope):
scheme = scope["scheme"].encode("utf8")
path = scope.get("raw_path", scope["path"].encode("utf8"))
host = dict(scope["headers"])[b"host"]
return (b"%s://%s%s" % (scheme, host, path)).decode("utf8")

Will miss the fact that the incoming request was originally https (e.g. proxied via traffic) - which means the ?next= URL we redirect people to will sometimes have the incorrect scheme.

@simonw simonw added the bug label Feb 4, 2020
@simonw

This comment has been minimized.

Copy link
Owner Author

@simonw simonw commented Feb 4, 2020

Maybe obey x-forwarded-proto - but only if configured to do so?

https://asgi-scope.now.sh/

{'client': ('172.29.0.6', 46600),
 'headers': [[b'host', b'asgi-scope.now.sh'],
             [b'x-forwarded-host', b'asgi-scope.now.sh'],
             [b'x-real-ip', b'171.66.12.167'],
             [b'x-forwarded-for', b'171.66.12.167'],
             [b'x-forwarded-proto', b'https'],
             [b'x-now-id', b'kggsg-1580854924737-c48cd17471e0'],
             [b'x-zeit-co-forwarded-for', b'171.66.12.167'],
             [b'user-agent',
              b'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko'
              b'/20100101 Firefox/72.0'],
             [b'accept',
              b'text/html,application/xhtml+xml,application/xml;q=0.9,image/'
              b'webp,*/*;q=0.8'],
             [b'accept-language', b'en-US,en;q=0.5'],
             [b'accept-encoding', b'gzip, deflate, br'],
             [b'dnt', b'1'],
             [b'upgrade-insecure-requests', b'1'],
             [b'x-now-trace', b'sfo1']],
 'http_version': '0.0',
 'method': 'GET',
 'path': '/',
 'query_string': b'',
 'scheme': 'http',
 'server': ('172.28.0.6', 8000),
 'type': 'http'}
@simonw

This comment has been minimized.

Copy link
Owner Author

@simonw simonw commented Feb 5, 2020

I'm going to add a trust_x_forwarded_proto boolean setting, defaults to False.

@simonw simonw closed this in 0b3b94d Feb 5, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.