From e7279f2fe20f49ed4f7331ea18754dce2050e4bf Mon Sep 17 00:00:00 2001
From: Ryan Petrello <rpetrell@redhat.com>
Date: Mon, 23 Jul 2018 21:19:06 -0400
Subject: [PATCH] reject ws:// connections w/ origin mismatches

see: https://github.com/ansible/tower/issues/2647
---
 awx/main/consumers.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/awx/main/consumers.py b/awx/main/consumers.py
index bc79a5c000..3ea6e25c11 100644
--- a/awx/main/consumers.py
+++ b/awx/main/consumers.py
@@ -3,7 +3,9 @@ import logging
 
 from channels import Group
 from channels.auth import channel_session_user_from_http, channel_session_user
+from channels.exceptions import DenyConnection
 
+from django.conf import settings
 from django.core.serializers.json import DjangoJSONEncoder
 
 
@@ -18,6 +20,10 @@ def discard_groups(message):
 
 @channel_session_user_from_http
 def ws_connect(message):
+    origin = dict(message.content.get('headers', {})).get('origin')
+    if settings.DEBUG is False and origin != settings.TOWER_URL_BASE:
+        logger.error("ws:// origin header mismatch {} != {}".format(origin, settings.TOWER_URL_BASE))
+        raise DenyConnection()
     message.reply_channel.send({"accept": True})
     message.content['method'] = 'FAKE'
     if message.user.is_authenticated():