p6micgy9w
/
monkeyking
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #439 from zischwartz/websocket-check-origin

Browse Source 
Added cross origin websocket handling for terminal
pull/449/head
Min RK 11 years ago
parent 336b3b7db6 2e16713e32
commit 35a0a0bb57
2 changed files with 54 additions and 40 deletions
Show Stats Download Patch File Download Diff File

80
notebook/base/handlers.py
Unescape View File

@ -244,6 +244,47 @@ class IPythonHandler(AuthenticatedHandler):
else:
origin = self.request.headers.get("Sec-Websocket-Origin", None)
return origin
# origin_to_satisfy_tornado is present because tornado requires
# check_origin to take an origin argument, but we don't use it
def check_origin(self, origin_to_satisfy_tornado=""):
"""Check Origin for cross-site API requests, including websockets
Copied from WebSocket with changes:
- allow unspecified host/origin (e.g. scripts)
"""
if self.allow_origin == '*':
return True
host = self.request.headers.get("Host")
origin = self.request.headers.get("Origin")
# If no header is provided, assume it comes from a script/curl.
# We are only concerned with cross-site browser stuff here.
if origin is None or host is None:
return True
origin = origin.lower()
origin_host = urlparse(origin).netloc
# OK if origin matches host
if origin_host == host:
return True
# Check CORS headers
if self.allow_origin:
allow = self.allow_origin == origin
elif self.allow_origin_pat:
allow = bool(self.allow_origin_pat.match(origin))
else:
# No CORS headers deny the request
allow = False
if not allow:
self.log.warn("Blocking Cross Origin API request. Origin: %s, Host: %s",
origin, host,
)
return allow
#---------------------------------------------------------------
# template rendering
@ -327,45 +368,6 @@ class IPythonHandler(AuthenticatedHandler):
class APIHandler(IPythonHandler):
"""Base class for API handlers"""
def check_origin(self):
"""Check Origin for cross-site API requests.
Copied from WebSocket with changes:
- allow unspecified host/origin (e.g. scripts)
"""
if self.allow_origin == '*':
return True
host = self.request.headers.get("Host")
origin = self.request.headers.get("Origin")
# If no header is provided, assume it comes from a script/curl.
# We are only concerned with cross-site browser stuff here.
if origin is None or host is None:
return True
origin = origin.lower()
origin_host = urlparse(origin).netloc
# OK if origin matches host
if origin_host == host:
return True
# Check CORS headers
if self.allow_origin:
allow = self.allow_origin == origin
elif self.allow_origin_pat:
allow = bool(self.allow_origin_pat.match(origin))
else:
# No CORS headers deny the request
allow = False
if not allow:
self.log.warn("Blocking Cross Origin API request. Origin: %s, Host: %s",
origin, host,
)
return allow
def prepare(self):
if not self.check_origin():

14
notebook/terminal/handlers.py
Unescape View File

@ -9,6 +9,12 @@ from tornado import web
import terminado
from ..base.handlers import IPythonHandler
try:
from urllib.parse import urlparse # Py 3
except ImportError:
from urlparse import urlparse # Py 2
class TerminalHandler(IPythonHandler):
"""Render the terminal interface."""
@web.authenticated
@ -16,9 +22,15 @@ class TerminalHandler(IPythonHandler):
self.write(self.render_template('terminal.html',
ws_path="terminals/websocket/%s" % term_name))
class TermSocket(terminado.TermSocket, IPythonHandler):
class TermSocket(IPythonHandler, terminado.TermSocket):
def set_default_headers(self):
pass
def origin_check(self):
"""Override Terminado's origin_check with our own check_origin, confusingly"""
return self.check_origin()
def get(self, *args, **kwargs):
if not self.get_current_user():

Write Preview
Loading…
Cancel
Save