[Python-Dev] Need help to fix HTTP Header Injection vulnerability (original) (raw)
Wes Turner wes.turner at gmail.com
Wed Apr 10 06:16:10 EDT 2019
- Previous message (by thread): [Python-Dev] Need help to fix HTTP Header Injection vulnerability
- Next message (by thread): [Python-Dev] Need help to fix HTTP Header Injection vulnerability
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Is there a library of URL / Header injection tests e.g. for fuzzing that we could generate additional test cases with or from?
Are requests.get() and requests.post() also vulnerable?
Despite the much-heralded UNIX pipe protocols' utility, filenames containing newlines (the de-facto line record delimiter) are possible: "file"$'\n'"name"
Should filenames containing newlines and control characters require a kwarg to be non-None in order to be passed through unescaped to the HTTP request?
On Wednesday, April 10, 2019, Karthikeyan <tir.karthi at gmail.com> wrote:
Thanks Gregory. I think it's a good tradeoff to ensure this validation only for URLs of http scheme.
I also agree handling newline is little problematic over the years and the discussion over the level at which validation should occur also prolongs some of the patches. https://bugs.python.org/issue35906 is another similar case where splitlines is used but it's better to raise an error and the proposed fix could be used there too. Victor seemed to wrote a similar PR like linked one for other urllib functions only to fix similar attack in ftplib to reject newlines that was eventually fixed only in ftplib * https://bugs.python.org/issue30713 * https://bugs.python.org/issue29606 Search also brings multiple issues with one duplicate over another that makes these attacks scattered over the tracker and some edge case missing. Slightly off topic, the last time I reported a cookie related issue where the policy can be overriden by third party library I was asked to fix it in stdlib itself since adding fixes to libraries causes maintenance burden to downstream libraries to keep up upstream. With urllib being a heavily used module across ecosystem it's good to have a fix landing in stdlib that secures downstream libraries encouraging users to upgrade Python too. Regards, Karthikeyan S
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20190410/bd15a035/attachment-0001.html>
- Previous message (by thread): [Python-Dev] Need help to fix HTTP Header Injection vulnerability
- Next message (by thread): [Python-Dev] Need help to fix HTTP Header Injection vulnerability
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]