Message339846
Oh, I didn't recall that this issue (this class of security vulnerabilities) has a so old history. I found *A LOT* of similar open issues. Here are my notes. Maybe most open issues should be closed as duplicate of this one to clarify the status of urllib in Python? :-)
Emails:
* 2019: https://mail.python.org/pipermail/python-dev/2019-April/157014.html
* 2017: https://mail.python.org/pipermail/python-dev/2017-July/148699.html
Open issues:
* 2011, bpo-13359: "urllib2 doesn't escape spaces in http requests"
Not marked as a security issue.
* 2012, bpo-14826: "urlopen URL with unescaped space"
Fix using quote(self.__original, safe="%/:=&?~#+!$,;'@()*[]|")
... and the changed has then be reverted because it broke buildbots.
Still open.
* 2013, bpo-17322: "urllib.request add_header() currently allows trailing spaces (and other weird stuff)"
Not marked as a security issue.
* 2014, bpo-22928: "HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)"
Marked as fixed, but user Orange explained in the first comment of in
bpo-30458 that the fix is incomplete.
* 2017, bpo-30458: "[CVE-2019-9740][security] CRLF Injection in httplib" (this issue)
* 2017, bpo-32085: "[Security] A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!"
* 2019, bpo-35906: "[CVE-2019-9947] Header Injection in urllib" (another CVE!)
Closed issues:
* 2004, bpo-918368: "urllib doesn't correct server returned urls" (urllib)
FIXED BY: commit 7c2867fcb1ade429a41e030585332ea26e3f60e1
Fix: fullurl = quote(fullurl, safe="%/:=&?~#+!$,;'@()*[]")
* 2005, bpo-1353433: "Http redirection error in urllib2.py" (urllib2)
FIXED BY: commit ddb84d7c69addc5d5e2ab3e327260d97b52af3a7
Fix: newurl = newurl.replace(' ', '%20')
* 2005, bpo-1153027: "http_error_302() crashes with 'HTTP/1.1 400 Bad Request"
FIXED BY: commit 690ce9b353bc0a86d0886470adbaa50e813de3b8 (Lib/urllib/request.py)
Fix: fullurl = quote(fullurl, safe="%/:=&?~#+!$,;'@()*[]")
* bpo-29606: "urllib FTP protocol stream injection"
Duplicate of bpo-30119.
* bpo-30119: "(ftplib) A remote attacker could possibly attack by containing the newline characters"
FIXED BY: commmit 8c2d4cf092c5f0335e7982392a33927579c4d512
Fix: reject "\r" and "\n" in FTP.putline() (Lib/ftplib.py)
* bpo-36276: "[CVE-2019-9740] Python urllib CRLF injection vulnerability"
Closed as duplicate of bpo-30458
Rejected pull requests:
* https://github.com/python/cpython/pull/1216/files
bpo-29606: Reject "\n" in ftp_open() of Lib/urllib/request.py
* https://github.com/python/cpython/pull/2800/files
bpo-29606: Reject "\n" in ftp_open() and open_ftp() of Lib/urllib/request.py
* https://github.com/python/cpython/pull/2301/files
bpo-30713: The splittype(), splitport() and splithost() functions of the
urllib.parse module now reject URLs which contain a newline character.
* https://github.com/python/cpython/pull/2303/files
bpo-30713: The splittype(), splitport() and splithost() functions of the
urllib.parse module now reject URLs which contain a newline character, but
splittype() accepts newlines after the type. |
|
Date |
User |
Action |
Args |
2019-04-10 10:36:16 | vstinner | set | recipients:
+ vstinner, gregory.p.smith, martin.panter, serhiy.storchaka, xiang.zhang, orange, xtreak, ware |
2019-04-10 10:36:15 | vstinner | set | messageid: <1554892575.98.0.457417082583.issue30458@roundup.psfhosted.org> |
2019-04-10 10:36:15 | vstinner | link | issue30458 messages |
2019-04-10 10:36:15 | vstinner | create | |
|