mirror of
https://github.com/discourse/discourse.git
synced 2025-05-29 01:31:35 +08:00
FEATURE: Protect against replay attacks when using TLS 1.3 0-RTT (#8020)
This commit is contained in:

committed by
GitHub

parent
171618e7d6
commit
39c31a3d76
@ -214,6 +214,9 @@ module Discourse
|
|||||||
config.middleware.delete Rack::ETag
|
config.middleware.delete Rack::ETag
|
||||||
|
|
||||||
unless Rails.env.development?
|
unless Rails.env.development?
|
||||||
|
require 'middleware/early_data_check'
|
||||||
|
config.middleware.insert_after Rack::MethodOverride, Middleware::EarlyDataCheck
|
||||||
|
|
||||||
require 'middleware/enforce_hostname'
|
require 'middleware/enforce_hostname'
|
||||||
config.middleware.insert_after Rack::MethodOverride, Middleware::EnforceHostname
|
config.middleware.insert_after Rack::MethodOverride, Middleware::EnforceHostname
|
||||||
end
|
end
|
||||||
|
27
lib/middleware/early_data_check.rb
Normal file
27
lib/middleware/early_data_check.rb
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
module Middleware
|
||||||
|
class EarlyDataCheck
|
||||||
|
def initialize(app, settings = nil)
|
||||||
|
@app = app
|
||||||
|
end
|
||||||
|
|
||||||
|
# When a new connection happens, and it uses TLS 1.3 0-RTT
|
||||||
|
# the reverse proxy will set the header `Early-Data` to 1.
|
||||||
|
# Due to 0-RTT susceptibility to Replay Attacks only GET
|
||||||
|
# requests for anonymous users are allowed.
|
||||||
|
# Reference: https://tools.ietf.org/html/rfc8446#appendix-E.5
|
||||||
|
def call(env)
|
||||||
|
if env['HTTP_EARLY_DATA'].to_s == '1' &&
|
||||||
|
(env['REQUEST_METHOD'] != 'GET' || CurrentUser.has_auth_cookie?(env))
|
||||||
|
[
|
||||||
|
425,
|
||||||
|
{ 'Content-Type' => 'text/html', 'Content-Length' => '9' },
|
||||||
|
['Too Early']
|
||||||
|
]
|
||||||
|
else
|
||||||
|
@app.call(env)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Reference in New Issue
Block a user