[Python-Dev] Need help to fix HTTP Header Injection vulnerability (original) (raw)
Victor Stinner vstinner at redhat.com
Tue Apr 9 10:22:56 EDT 2019
- Previous message (by thread): [Python-Dev] bedevere pipelines hang on github
- Next message (by thread): [Python-Dev] Need help to fix HTTP Header Injection vulnerability
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
In May 2017, user "Orange" found a vulnerability in the urllib fix for CVE-2016-5699 (HTTP Header Injection vulnerability): https://bugs.python.org/issue30458
It allows to inject arbitrary HTTP headers.
Copy of their message:
""" Hi, the patch in CVE-2016-5699 can be broke by an addition space. http://www.cvedetails.com/cve/CVE-2016-5699/ https://hg.python.org/cpython/rev/bf3e1c9b80e9 https://hg.python.org/cpython/rev/1c45047c5102
import urllib, urllib2
urllib.urlopen('http://127.0.0.1\r\n\x20hihi\r\n :11211') urllib2.urlopen('http://127.0.0.1\r\n\x20hihi\r\n :11211') """
Last month, the same bug has been rediscovered by user "ragdoll.guo": https://bugs.python.org/issue36276
Almost one year after the bug has been reported, no one came with a solution.
I'm not comfortable with having known security issues impacting HTTP. Can someone please have a look at the issue and try to write a change to fix the issue?
According to Karthikeyan Singaravelan, the Go language fixed a similar issue in Go 1.12: throw an error if the URL contains any control character.
If we decide that the issue is not a security issue, we should document the behavior properly and close the issue.
See also this related issue:
"urlopen URL with unescaped space" https://bugs.python.org/issue14826
Victor
Night gathers, and now my watch begins. It shall not end until my death.
- Previous message (by thread): [Python-Dev] bedevere pipelines hang on github
- Next message (by thread): [Python-Dev] Need help to fix HTTP Header Injection vulnerability
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]