osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Python-Dev] Need help to fix HTTP Header Injection vulnerability


Hi,


In May 2017, user "Orange" found a vulnerability in the urllib fix for
CVE-2016-5699 (HTTP Header Injection vulnerability):
https://bugs.python.org/issue30458

It allows to inject arbitrary HTTP headers.

Copy of their message:

"""
Hi, the patch in CVE-2016-5699 can be broke by an addition space.
http://www.cvedetails.com/cve/CVE-2016-5699/
https://hg.python.org/cpython/rev/bf3e1c9b80e9
https://hg.python.org/cpython/rev/1c45047c5102

import urllib, urllib2

urllib.urlopen('http://127.0.0.1\r\n\x20hihi\r\n :11211')
urllib2.urlopen('http://127.0.0.1\r\n\x20hihi\r\n :11211')
"""

Last month, the same bug has been rediscovered by user "ragdoll.guo":
https://bugs.python.org/issue36276

Almost one year after the bug has been reported, no one came with a solution.

I'm not comfortable with having known security issues impacting HTTP.
Can someone please have a look at the issue and try to write a change
to fix the issue?

According to Karthikeyan Singaravelan, the Go language fixed a similar
issue in Go 1.12: throw an error if the URL contains any control
character.

If we decide that the issue is not a security issue, we should
document the behavior properly and close the issue.

See also this related issue:

   "urlopen URL with unescaped space"
   https://bugs.python.org/issue14826

Victor
-- 
Night gathers, and now my watch begins. It shall not end until my death.