[vlc-devel] [PATCH 0/2] mitigate CSRF and DNS rebinding attacks on httpd server.

Pierre Lamot pierre at videolabs.io
Wed Jan 31 18:38:00 CET 2018

This series aim to mitigate CSRF and DNS rebinding attacks against the http interface.

CSRF is mitigated by checking Origin and Referer fields in the HTTP request.
A proper implementation would also use a CSRF token mechanism, but this can't
added to the current implentation without breaking the API.

DNS rebinding is mitigated with a white list of domain names.

things I'm not sure about:
  - is it okay to "http-host" as host target orgin.
  - should we consider the domain white list as valid target origin.
  - should we add the white list domain to a "Access-Control-Allow-Origin" header.

Pierre Lamot (2):
  httpd: mitigate CRSF attack by checking request Origin
  httpd: mitigate DNS rebinding attack by allowing to specify a domain
    white list.

 src/libvlc-module.c |   5 ++
 src/network/httpd.c | 160 ++++++++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 159 insertions(+), 6 deletions(-)


More information about the vlc-devel mailing list