Defuse a "Host:" header attack
Summary:
Django released a security update recently dealing with malicious "Host" headers:
https://www.djangoproject.com/weblog/2012/oct/17/security/
We're vulnerable to the same attack. Plug the hole.
The risk here is that an attacker does something like this:
- Register "evil.com".
- Point it at secure.phabricator.com in DNS.
- Send a legitimate user a link to "secure.phabricator.com:ignored@evil.com".
- They login and get cookies. Normally Phabricator refuses to set cookies on domains it does not recognize.
- The attacker now points "evil.com" at his own servers and reads the auth cookies on the next request.
Test Plan: Unit tests.
Reviewers: vrana, btrahan
Reviewed By: vrana
CC: aran
Differential Revision: https://secure.phabricator.com/D3766