[vlc-devel] [PATCH 0/2] mitigate CSRF and DNS rebinding attacks on httpd server.
pierre at videolabs.io
Wed Jan 31 18:38:00 CET 2018
This series aim to mitigate CSRF and DNS rebinding attacks against the http interface.
CSRF is mitigated by checking Origin and Referer fields in the HTTP request.
A proper implementation would also use a CSRF token mechanism, but this can't
added to the current implentation without breaking the API.
DNS rebinding is mitigated with a white list of domain names.
things I'm not sure about:
- is it okay to "http-host" as host target orgin.
- should we consider the domain white list as valid target origin.
- should we add the white list domain to a "Access-Control-Allow-Origin" header.
Pierre Lamot (2):
httpd: mitigate CRSF attack by checking request Origin
httpd: mitigate DNS rebinding attack by allowing to specify a domain
src/libvlc-module.c | 5 ++
src/network/httpd.c | 160 ++++++++++++++++++++++++++++++++++++++++++++++++++--
2 files changed, 159 insertions(+), 6 deletions(-)
More information about the vlc-devel