diff options
| author | Job Snijders <job@cvs.openbsd.org> | 2024-03-12 16:02:31 +0000 |
|---|---|---|
| committer | Job Snijders <job@cvs.openbsd.org> | 2024-03-12 16:02:31 +0000 |
| commit | 2f2db28a7b9f3cb53d9356b68be5c7d6eec3ca20 (patch) | |
| tree | b4cbef0df75f2ea21e543d4219c8f64076bde8ae /usr.sbin/rpki-client | |
| parent | f4f2ad97eccd16cc1a7bbbc0ab5f46d0c257f8a3 (diff) | |
Enforce same-origin policy for HTTP redirects
Isolate resources from different RRDP servers to avoid
inappropriately increasing resource consumption for both
RRDP clients and the referenced server.
OK claudio@ tb@
Diffstat (limited to 'usr.sbin/rpki-client')
| -rw-r--r-- | usr.sbin/rpki-client/http.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/usr.sbin/rpki-client/http.c b/usr.sbin/rpki-client/http.c index 282487aa1e3..2d76f67d926 100644 --- a/usr.sbin/rpki-client/http.c +++ b/usr.sbin/rpki-client/http.c @@ -1,4 +1,4 @@ -/* $OpenBSD: http.c,v 1.80 2024/01/30 11:15:05 claudio Exp $ */ +/* $OpenBSD: http.c,v 1.81 2024/03/12 16:02:30 job Exp $ */ /* * Copyright (c) 2020 Nils Fisher <nils_fisher@hotmail.com> * Copyright (c) 2020 Claudio Jeker <claudio@openbsd.org> @@ -1417,6 +1417,11 @@ http_parse_header(struct http_connection *conn, char *buf) if (loctail != NULL) *loctail = '\0'; conn->redir_uri = redirurl; + if (!valid_origin(redirurl, conn->req->uri)) { + warnx("%s: cross origin redirect to %s", conn->req->uri, + http_info(redirurl)); + return -1; + } } else if (strncasecmp(cp, TRANSFER_ENCODING, sizeof(TRANSFER_ENCODING) - 1) == 0) { cp += sizeof(TRANSFER_ENCODING) - 1; |