[vlc-devel] [PATCH 0/2] mitigate CSRF and DNS rebinding attacks on httpd server.

Rémi Denis-Courmont remi at remlab.net
Wed Jan 31 19:16:01 CET 2018

Le keskiviikkona 31. tammikuuta 2018, 19.38.00 EET Pierre Lamot a écrit :
> This series aim to mitigate CSRF and DNS rebinding attacks against the http
> interface.

That is a very reall problem, but nevertheless this seems to me like putting 
the cart before the horses.

First, enforce POST for all non-indempotent requests. Then, you can think 
about "newer" attacks like CSRF.

> CSRF is mitigated by checking Origin and Referer fields in the HTTP request.
> A proper implementation would also use a CSRF token mechanism, but this
> can't added to the current implentation without breaking the API.

It is true that session tokens or cookies would break the API. But so would 
Origin and Referer header checks:
- A control app using hand-written code for HTTP will break.
- A control app using a non-web framework for HTTP will also break.

The only changes that can be made without breaking the API for external apps 
are the hypothetical enforced ones by the browser / the client side. But then 
again, those might break web-based control apps.

In other words, either we leave those gapping security holes open, or we break 
the API. (I probably do not need to mention that I am in favor of the latter.)


More information about the vlc-devel mailing list