Unvalidated http-->https redirect #21

baszoetekouw · 2024-01-12T15:37:18Z

de guacomole host (pilot1) doet unvalidated http-->https redirects (maw: hij redirect je vriendelijk naar whatever host je in je HTTP Host header stopt, ook als hij die host niet zelf serveert):

╰─▶ telnet pilot1.sram.surf.nl 80
Trying 145.101.114.5...
Connected to pilot1.sram.surf.nl.
Escape character is '^]'.
GET / HTTP/1.1
Host: evilserver.com

HTTP/1.1 301 Moved Permanently
Location: https://evilserver.com/
Date: Fri, 12 Jan 2024 15:36:51 GMT
Content-Length: 17
Content-Type: text/plain; charset=utf-8

Moved Permanently

The text was updated successfully, but these errors were encountered:

HarryKodden · 2024-01-12T15:53:52Z

issue confirmed

curl --request GET \
  --url http://proxy.pilot1.sram.surf.nl/ping \
  --header 'host: evilserver.com'

Adjust Treafik config

old:

  - "traefik.http.routers.httpCatchall.rule=HostRegexp(`{any:.+}`)"

new:

  - "traefik.http.routers.httpCatchall.rule=HostRegexp(`{any:.+}.pilot1.sram.surf.nl`)"

baszoetekouw assigned HarryKodden Jan 12, 2024

baszoetekouw added the bug Something isn't working label Jan 12, 2024

sram-project-automation bot added this to SRAM development Jan 12, 2024

github-project-automation bot moved this to New in SRAM development Jan 12, 2024

baszoetekouw moved this from New to Todo in SRAM development Jan 12, 2024

HarryKodden closed this as completed Aug 30, 2024

HarryKodden moved this from Todo to Done in SRAM development Aug 30, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unvalidated http-->https redirect #21

Unvalidated http-->https redirect #21

baszoetekouw commented Jan 12, 2024

HarryKodden commented Jan 12, 2024

Unvalidated http-->https redirect #21

Unvalidated http-->https redirect #21

Comments

baszoetekouw commented Jan 12, 2024

HarryKodden commented Jan 12, 2024