High severity8.8NVD Advisory· Published Sep 20, 2017· Updated May 13, 2026

CVE-2015-5607

Description

Cross-site request forgery in the REST API in IPython 2 and 3.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ipythonPyPI	>= 0.12, < 2.4.1	2.4.1
ipythonPyPI	>= 3.0.0, < 3.2.3	3.2.3

Patches

a05fe052a188

backport origin check for API requests

https://github.com/ipython/ipythonMin RKJul 12, 2015via ghsa

commit

1 file changed · +48 −0

IPython/html/base/handlers.py+48 −0 modified

@@ -29,6 +29,10 @@
     from http.client import responses
 except ImportError:
     from httplib import responses
+try:
+    from urllib.parse import urlparse # Py 3
+except ImportError:
+    from urlparse import urlparse # Py 2
 
 from jinja2 import TemplateNotFound
 from tornado import web
@@ -208,6 +212,50 @@ def get_origin(self):
             origin = self.request.headers.get("Sec-Websocket-Origin", None)
         return origin
 
+    def check_origin_api(self):
+        """Check Origin for cross-site API requests.
+        
+        Copied from WebSocket with changes:
+        
+        - allow unspecified host/origin (e.g. scripts)
+        """
+        if self.allow_origin == '*':
+            return True
+
+        host = self.request.headers.get("Host")
+        origin = self.request.headers.get("Origin")
+
+        # If no header is provided, assume it comes from a script/curl.
+        # We are only concerned with cross-site browser stuff here.
+        if origin is None or host is None:
+            return True
+        
+        origin = origin.lower()
+        origin_host = urlparse(origin).netloc
+        
+        # OK if origin matches host
+        if origin_host == host:
+            return True
+        
+        # Check CORS headers
+        if self.allow_origin:
+            allow = self.allow_origin == origin
+        elif self.allow_origin_pat:
+            allow = bool(self.allow_origin_pat.match(origin))
+        else:
+            # No CORS headers deny the request
+            allow = False
+        if not allow:
+            self.log.warn("Blocking Cross Origin API request.  Origin: %s, Host: %s",
+                origin, host,
+            )
+        return allow
+
+    def prepare(self):
+        if not self.check_origin_api():
+            raise web.HTTPError(404)
+        return super(IPythonHandler, self).prepare()
+
     #---------------------------------------------------------------
     # template rendering
     #---------------------------------------------------------------

1415a9710407

check origin of API requests

https://github.com/ipython/ipythonMin RKJul 8, 2015via ghsa

commit

1 file changed · +48 −1

IPython/html/base/handlers.py+48 −1 modified

@@ -5,7 +5,6 @@
 
 import functools
 import json
-import logging
 import os
 import re
 import sys
@@ -15,6 +14,10 @@
     from http.client import responses
 except ImportError:
     from httplib import responses
+try:
+    from urllib.parse import urlparse # Py 3
+except ImportError:
+    from urlparse import urlparse # Py 2
 
 from jinja2 import TemplateNotFound
 from tornado import web
@@ -320,6 +323,50 @@ def write_error(self, status_code, **kwargs):
 class APIHandler(IPythonHandler):
     """Base class for API handlers"""
     
+    def check_origin(self):
+        """Check Origin for cross-site API requests.
+        
+        Copied from WebSocket with changes:
+        
+        - allow unspecified host/origin (e.g. scripts)
+        """
+        if self.allow_origin == '*':
+            return True
+
+        host = self.request.headers.get("Host")
+        origin = self.request.headers.get("Origin")
+
+        # If no header is provided, assume it comes from a script/curl.
+        # We are only concerned with cross-site browser stuff here.
+        if origin is None or host is None:
+            return True
+        
+        origin = origin.lower()
+        origin_host = urlparse(origin).netloc
+        
+        # OK if origin matches host
+        if origin_host == host:
+            return True
+        
+        # Check CORS headers
+        if self.allow_origin:
+            allow = self.allow_origin == origin
+        elif self.allow_origin_pat:
+            allow = bool(self.allow_origin_pat.match(origin))
+        else:
+            # No CORS headers deny the request
+            allow = False
+        if not allow:
+            self.log.warn("Blocking Cross Origin API request.  Origin: %s, Host: %s",
+                origin, host,
+            )
+        return allow
+
+    def prepare(self):
+        if not self.check_origin():
+            raise web.HTTPError(404)
+        return super(APIHandler, self).prepare()
+
     @property
     def content_security_policy(self):
         csp = '; '.join([

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchWEB
github.com/ipython/ipython/commit/1415a9710407e7c14900531813c15ba6165f0816nvdPatchThird Party AdvisoryWEB
github.com/ipython/ipython/commit/a05fe052a18810e92d9be8c1185952c13fe4e5b0nvdPatchThird Party AdvisoryWEB
www.openwall.com/lists/oss-security/2015/07/21/3nvdExploitMailing ListPatchThird Party AdvisoryWEB
lists.fedoraproject.org/pipermail/package-announce/2015-July/162671.htmlnvdIssue TrackingThird Party AdvisoryWEB
lists.fedoraproject.org/pipermail/package-announce/2015-July/162936.htmlnvdIssue TrackingThird Party AdvisoryWEB
github.com/advisories/GHSA-7fc2-rm35-2pp7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2015-5607ghsaADVISORY
github.com/pypa/advisory-database/tree/main/vulns/ipython/PYSEC-2017-47.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000