Make sure that we're not vulnerable to DNS rebinding attack

[ztane]

It started with Rails; now there was CVE 2016-9014 in Django; someone should make sure that pyramid_debugtoolbar is not vulnerable. This attack allows a malicious site being opened in any browser to access the debug console - the hostname of the request must be validated.

[digitalresistor]

Hostname is not validated.

[mmerickel]

I don't see a way to mitigate this easily but I'm open to suggestions.

[a3kov]

This is pretty serious stuff...

I don't see a way to mitigate this easily but I'm open to suggestions

Check host like @ztane said. If there is a hostname in the request, compare to a configuration setting, like "permitted hosts". Is there anything I'm missing ?

[jvanasco]

This would be better implemented as a tween/middleware/component of the core Pyramid package, and then called from there. That would allow developer applications to leverage the protection.

Every Pyramid application/component is vulnerable to DNS rebinding without checking an "allowed hosts" list. The debugtoolbar is a more attractive exploit because, like certain components of django and rails, it has a structured API and published hooks/entrypoints exploitable.