Message 182804 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	devin
Recipients	Arfrever, devin, giampaolo.rodola, socketpair
Date	2013-02-23.19:52:12
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1361649132.58.0.983892154936.issue11259@psf.upfronthosting.co.za>
In-reply-to

Content
I agree that this is probably a bug, but can't think of any instances where this in itself would cause a security issue. By sending something like a negative Content-Length, you do indeed get data returned that doesn't really match the data sent on the wire. If you're able to manipulate the Content-Length, though, instead of sending a negative value num, you could instead send len(data) + num. Here's a simple example I was able to come up with: Server reads data and runs "echo -n > {data}" (or any write the file specified in "data"). Client is supposed to send Content-Length, then that many bytes, expected to be a file that should be written to. Client instead sends "-4\n/etc/passwd.bak". Server runs "echo -n > /etc/passwd". So that's certainly unexpected bahavior. However, this is a fairly low-level module, and doesn't actually do anything with the data it collects. That's left to the subclass, and subclasses should be responsible for validating any data read off the wire before using it. Attached is a patch to tip, including a new test case.

I agree that this is probably a bug, but can't think of any instances where this in itself would cause a security issue. By sending something like a negative Content-Length, you do indeed get data returned that doesn't really match the data sent on the wire. If you're able to manipulate the Content-Length, though, instead of sending a negative value num, you could instead send len(data) + num.

Here's a simple example I was able to come up with:

Server reads data and runs "echo -n > {data}" (or any write the file specified in "data").
Client is supposed to send Content-Length, then that many bytes, expected to be a file that should be written to.
Client instead sends "-4\n/etc/passwd.bak".
Server runs "echo -n > /etc/passwd".

So that's certainly unexpected bahavior. However, this is a fairly low-level module, and doesn't actually do anything with the data it collects. That's left to the subclass, and subclasses should be responsible for validating any data read off the wire before using it.

Attached is a patch to tip, including a new test case.

History
Date	User	Action	Args
2013-02-23 19:52:12	devin	set	recipients: + devin, giampaolo.rodola, Arfrever, socketpair
2013-02-23 19:52:12	devin	set	messageid: <1361649132.58.0.983892154936.issue11259@psf.upfronthosting.co.za>
2013-02-23 19:52:12	devin	link	issue11259 messages
2013-02-23 19:52:12	devin	create