Add section on host header injection and _external=True in url_for (#5718)
This commit is contained in:
BlaytonV
parent
a5f9742398
commit
7205e1aadc
1 changed files with 19 additions and 0 deletions
|
|
@ -293,3 +293,22 @@ pasting, so this isn't strictly necessary. It's also possible to craft
|
|||
dangerous commands in other ways that aren't possible to filter.
|
||||
Depending on your site's use case, it may be good to show a warning
|
||||
about copying code in general.
|
||||
|
||||
Host Header Injection
|
||||
---------------------
|
||||
|
||||
Flask’s ``url_for(..., _external=True)`` function generates full URLs based on
|
||||
the request’s ``Host`` header. If your app does not explicitly set the
|
||||
``SERVER_NAME`` config or validate incoming host headers, it may be vulnerable
|
||||
to **host header injection**. This is especially critical when generating external
|
||||
URLs used in password reset links or redirects, where an attacker can modify
|
||||
the Host header to inject malicious links.
|
||||
|
||||
.. warning::
|
||||
|
||||
Always configure ``SERVER_NAME`` and/or use middleware such as Werkzeug’s
|
||||
``ProxyFix`` to sanitize headers when deploying behind a proxy or load
|
||||
balancer. You may also consider validating the ``Host`` header or using
|
||||
`trusted_hosts` to prevent this class of attack.
|
||||
|
||||
See also: :doc:`deploying/proxy_fix`
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue