[Zope-dev] Client.py looses port? Bug?

Sam Gendler sgendler@impossible.com
Sat, 11 Mar 2000 10:56:05 -0800


Michel Pelletier wrote:

> I _think_ the problem is that ZServer builds SERVER_URL from the Host
> header and other HTTP headers.  If the client reports these incorrectly,
> then ZServer will get them wrong, even though ZServer knows what port
> the request came in on.
>
> This needs to be thought about (and obviously confirmed, I'm not
> positive) what you may want to do is get one of those fancy HTTP
> sniffers to see if ZClient requests are sending the port along with the
> Host header.  If not, obviously ZClient should be fixed, but also maybe
> we should consider ZServer inspecting the Host header to make sure it
> jives with what port and host the request actually came in on (or at
> least the port, I'm not sure if in a multi-hosting environment this
> should be done).  I don't think this is a security problem, but it might
> introduce some form of port spoofing we are unfamilar with or unware of.

Actually, I have been known to spoof the port number with a Cisco Local
Director, allowing to redirect the port 80 request on the LD to port 8080 on a
cluster of servers behind the LD.  Additionally, how would Zope deal with
PCGI/FastCGI requests, since it would not be able to ascertain a port number
from the socket directly.  Besides, from a debugging standpoint, I often debug
sites and servers by doing manual http requests from a telnet client, playing
all sorts of games with the Host header.  Any changes to ZServer that prevent
this kind of behaviour would make my life very difficult.  I think we should
just fix ZClient (if this is actually the problem)

Besides, I don't think you need a nework sniffer to look at the host header.
Isn't the host header available from the REQUEST.  If so, just stick it in the
log with the absolute_url.

--sam


>
>
> -Michel
>
> Loren Stafford wrote:
> >
> > I've found that absolute_url does not return the port number when the
> > request was created by client.py.
> >
> > I may not have isolated the problem at the most detailed level, but here's
> > one way to reproduce it. An object (zev3) in this case has two methods for
> > the purposes of isolating this problem:
> >
> >   def shoot(self, client=None, REQUEST=None, RESPONSE=None, **kw):
> >     """Track down a problem in absolute_url()
> >     """
> >     from ZPubLisher import Client
> >     import Loggerr
> >     loggerr=Loggerr.loggerr
> >     myurl=self.absolute_url()
> >     emsg='Shoot: %s' % myurl
> >     loggerr(100, emsg, detail='')
> >     Client.call('%s/%s' % (myurl, 'show'))
> >
> >   def show(self, client=None, REQUEST=None, RESPONSE=None, **kw):
> >     """Track down a problem in absolute_url()
> >     """
> >     import Loggerr
> >     loggerr=Loggerr.loggerr
> >     emsg='Show: %s'% self.absolute_url()
> >     loggerr(100, emsg, detail='')
> >
> > Executing "show" by typing "http://127.0.0.1:8080/zev3/show" into the
> > browser produces this log entry.
> >
> > ------
> > 2000-03-10T21:47:04 PROBLEM(100) Products.ZScheduler.Loggerr Show:
> > http://127.0.
> > 0.1:8080/zev3
> >
> > Executing "show" by typing "http://127.0.0.1:8080/zev3/shoot" into the
> > browser produces this log entry.
> >
> > ------
> > 2000-03-10T21:44:19 PROBLEM(100) Products.ZScheduler.Loggerr Shoot:
> > http://127.0.0.1:8080/zev3
> > ------
> > 2000-03-10T21:44:19 PROBLEM(100) Products.ZScheduler.Loggerr Show:
> > http://127.0.0.1/zev3
> >
> > What happened with the port?
> >
> > I'll try to track this down further, but I'm afraid the problem is in the
> > depths of ZPublisher somewhere. Any hints would be appreciated.
> >
> > -- Thanks
> > -- Loren
> >
> > _______________________________________________
> > Zope-Dev maillist  -  Zope-Dev@zope.org
> > http://lists.zope.org/mailman/listinfo/zope-dev
> > **  No cross posts or HTML encoding!  **
> > (Related lists -
> >  http://lists.zope.org/mailman/listinfo/zope-announce
> >  http://lists.zope.org/mailman/listinfo/zope )
>
> _______________________________________________
> Zope-Dev maillist  -  Zope-Dev@zope.org
> http://lists.zope.org/mailman/listinfo/zope-dev
> **  No cross posts or HTML encoding!  **
> (Related lists -
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope )

--
Sam Gendler
Chief Technology Officer - Impossible, Inc.
1222 State St. Suite 250
Santa Barbara CA. 93101
w: 805-560-0508
f: 805-560-0608
c: 805-689-1191
e: sgendler@impossible.com