Merge pull request #2648 from ryanpetrello/fix-ws-cross-origin

[3.3.0] reject ws:// connections w/ origin mismatches
2026-01-14 19:30:39 -03:30 · 2018-07-24 10:13:46 -04:00 · 2018-07-24 10:13:46 -04:00 · c0da6f04cd
commit c0da6f04cd
parent 90c03af61b e7279f2fe2
1 changed files with 6 additions and 0 deletions
--- a/awx/main/consumers.py
+++ b/awx/main/consumers.py
@ -3,7 +3,9 @@ import logging

 from channels import Group
 from channels.auth import channel_session_user_from_http, channel_session_user
+from channels.exceptions import DenyConnection

+from django.conf import settings
 from django.core.serializers.json import DjangoJSONEncoder


@ -18,6 +20,10 @@ def discard_groups(message):

@channel_session_user_from_http
 def ws_connect(message):
+    origin = dict(message.content.get('headers', {})).get('origin')
+    if settings.DEBUG is False and origin != settings.TOWER_URL_BASE:
+        logger.error("ws:// origin header mismatch {} != {}".format(origin, settings.TOWER_URL_BASE))
+        raise DenyConnection()
    message.reply_channel.send({"accept": True})
    message.content['method'] = 'FAKE'
    if message.user.is_authenticated():