This is a quick hack to address the SSL info leakage covered here: http://www.freedom-to-tinker.com/blog/felten/side-channel-leaks-web-applications
Don't use this in prod without testing. :-)
I'll get some feedback from django-dev and update here.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | import random
from django.http import HttpResponse
class SidebandCoverTrafficMiddleware(object):
"""
HTTP traffic (even under SSL) can be observed for information leakage based on
response lengths; this is more important with AJAX providing many small requests.
See http://www.freedom-to-tinker.com/blog/felten/side-channel-leaks-web-applications
A mitigation is to add some padding to responses to obscure the original lengths.
"""
SUPPORTED_MIMETYPES = (
'text/*',
)
SUPPORTED_STATUSES = (
200,
)
EXTRA_PADDING_MAX = 1024
def should_process(self, response):
if not response.status_code in self.SUPPORTED_STATUSES:
return False
ct = response['content-type']
ct_prefix = ct.split('/')[0] + '/*'
if not (ct_prefix in self.SUPPORTED_MIMETYPES or
ct in self.SUPPORTED_MIMETYPES):
return False
return True
def process_response(self, request, response):
if self.should_process(response):
return HttpResponse(response.content + ' ' * random.randint(0, self.EXTRA_PADDING_MAX),
content_type=ct,
status=response.status_code
)
|
More like this
- Template tag - list punctuation for a list of items by shapiromatron 10 months, 2 weeks ago
- JSONRequestMiddleware adds a .json() method to your HttpRequests by cdcarter 10 months, 3 weeks ago
- Serializer factory with Django Rest Framework by julio 1 year, 5 months ago
- Image compression before saving the new model / work with JPG, PNG by Schleidens 1 year, 6 months ago
- Help text hyperlinks by sa2812 1 year, 6 months ago
Comments
Why not end should_process simply by:
return ct_prefix in self.SUPPORTED_MIMETYPES or ct in self.SUPPORTED_MIMETYPES
#
Please login first before commenting.