Why exception from os.path.exists()?
On Thu, 07 Jun 2018 22:46:09 +1000, Chris Angelico wrote:
>> I wonder how many publicly facing web servers can be induced to either
>> crash, or serve the wrong content, this way?
> Define "serve the wrong content". You could get the exact same content
> by asking for "te" instead of "te%00st.html";
Perhaps so, but maybe you can bypass access controls to te and get access
to it even though it is supposed to be private.
This is a real vulnerability, called null-byte injection.
One component of the system sees a piece of input, truncates it at the
NULL, and validates the truncated input; then another component acts on
the untruncated (and unvalidated) input.
Null-byte injection attacks have lead to remote attackers executing
arbitrary code. That's unlikely in this scenario, but given that most web
servers are written in C, not Python, it is conceivable that they could
do anything under a null-byte injection attack.
Does the Python web server suffer from that vulnerability? I would be
surprised if it were. But it can be induced to crash (an exception, not a
seg fault) which is certainly a vulnerability.
Since people are unlikely to use this web server to serve mission
critical public services over the internet, the severity is likely low.
Nevertheless, it is still a real vulnerability.
"Ever since I learned about confirmation bias, I've been seeing
it everywhere." -- Jon Ronson