|
|
|
|
|
|
by tcbyrd
1900 days ago
|
|
|
Hi from the Pages team! This was such a great find and can't thank you enough for helping ensure Private Pages is as secure as possible. This report helped uncover: - A bug in Openresty where `ngx.redirect` didn't handle unsafe characters [1]. While the fix is now in the latest version of Openresty, a quick patch was to build the URL safely before using it in the redirect. - You should check for case sensitivity when reading `__Host` prefixed cookies, and verify the values against your expected format. It's possible for both `__HOST-Foo` and `__Host-Foo` cookies to exist, and only the `__Host` prefix requires the `Secure` and `HttpOnly` attributes [2]. In our case we strip all cookies at the edge using Varnish (VCL) to ensure no user-supplied cookies make it to our origin, and now we also ignore any "Secure" cookies that don't appear to have been set by our servers. [1]: https://github.com/openresty/lua-nginx-module/pull/1654 [2]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Se... |
|
|
Usually you can just set a "httpOnly" flag to make sure client-side javascript can't mess with the cookie. But if you also sign the cookie, it further enforces this for any client tampering with the cookie manually too. Because only the server knows the secret for creating a new signature, if the client sends back a cookie that is modified in any way (including case sensitivity), it will be discarded. It should prevent the whole class of bugs caused by "unexpected format".