Re: CVE request: IPython CSRF validation

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Software name: IPython notebook
> Attack outcome: Possible remote execution
> Patches:
>   2.x:
> https://github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0
>   3.x:
> https://github.com/ipython/ipython/commit/1415a9710407e7c14900531813c15ba6165f0816
>
> POST requests exposed via the IPython REST API are vulnerable to
> cross-site request forgery (CSRF). Web pages on different domains can make
> non-AJAX POST requests to known IPython URLs, and IPython will honor them.
> The user's browser will automatically send IPython cookies along with the
> requests.

Use CVE-2015-5607.

This part of the patch seems unusual, but we haven't researched it at all:

  host = self.request.headers.get("Host")
  origin = self.request.headers.get("Origin")

  # If no header is provided, assume it comes from a script/curl.
  # We are only concerned with cross-site browser stuff here.
  if origin is None or host is None:
     return True

Is this a case where it is safe to skip CSRF protection in all
situations where the client omits an Origin header?

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVrjG9AAoJEKllVAevmvms5UwH/2hScDKEqZ7YRg+Rrh5GNsZj
/EqVTy7VhFSr67xFxE1p/wn8X6UsRs4c4C1BtqGdbFFgh/UHE2X3uFrqeSEX+mWg
i5fDE+OGKSZdqK+UM0pazNsEtWCyrvx/5j+zJ7PSL2Jejrc4v81F/UGP83qtY5CC
1cbslombkmi1juKiupm57sQwqCAhVPASrTaQn9LFZyDlcuvpa/93OlGgdKtlyqX4
u77/cDUVQ+RVb0Ivj9EJAJbfjhfdZ8h/BDn8GiAbQ51ADpogTDCpPpIqRN+9/0d1
LAaDDbROGwBc0IdDzlDB8D2sW2z28o/D6tL9U7Kj5xYKsHuXC8PjPkSBaHZ3om8=
=jjDB
-----END PGP SIGNATURE-----