msg352921 - (view) |
Author: longwenzhang (longwenzhang) * |
Date: 2019-09-21 02:17 |
It's "Lib/DocXMLRPCServer.py" in python2x or "Lib/xmlrpc/server.py" in python3x.
Steps to reproduce:
1.Lib/DocXMLRPCServer.py is “a documenting XML-RPC Server“,In the Class ServerHTMLDoc, method markup(), will escape the Special symbols to safe(such as <," etc).
2.But it only escape the content from server.set_server_name() and server.set_server_documentation(),the "title" content from the server.set_server_title() will not be escaped, so if I set_server_title('123</title><script>alert(1)</script>'), it will cause XSS because not escaped.
3.I see the alert in Chrome by visiting http://127.0.0.1,the Poc is the poc.py(run in python2.7) in attachments.
4.Problems seems to be at
https://github.com/python/cpython/blob/master/Lib/xmlrpc/server.py#L897 "return documenter.page(self.server_title,documentation)".Before this line,variable "documentation" has been escaped but self.server_title not.This is the main cause.
|
msg352922 - (view) |
Author: Karthikeyan Singaravelan (xtreak) *  |
Date: 2019-09-21 04:25 |
Thanks for the report. There is a policy to report security vulnerabilities in CPython : https://www.python.org/news/security/.
|
msg353132 - (view) |
Author: Dong-hee Na (corona10) *  |
Date: 2019-09-25 02:08 |
Looks like this issue can be solved by below code changed.
@@ -833,7 +834,7 @@ class XMLRPCDocGenerator:
def set_server_title(self, server_title):
"""Set the HTML title of the generated server documentation"""
- self.server_title = server_title
+ self.server_title = html.escape(server_title)
|
msg353140 - (view) |
Author: Dong-hee Na (corona10) *  |
Date: 2019-09-25 04:40 |
I've proposed the patch on GitHub which escaping the server_title when the documenter.page is called. (It different point with msg353132.
|
msg353169 - (view) |
Author: STINNER Victor (vstinner) *  |
Date: 2019-09-25 11:00 |
> Thanks for the report. There is a policy to report security vulnerabilities in CPython : https://www.python.org/news/security/.
The private security mailing list has been contacted first and we advice to open a public issue since we consider that it's not a major security issue.
To exploit this bug, the attacker has to control the XML-RPC server title.
|
msg353170 - (view) |
Author: STINNER Victor (vstinner) *  |
Date: 2019-09-25 11:01 |
> I've proposed the patch on GitHub which escaping the server_title when the documenter.page is called. (It different point with msg353132.
The attached poc.py seems to show that server name and server documentation are not escaped neither.
server.set_server_name('test<script>')
server.set_server_documentation('test<script>')
Well, please write a test to check that ;-)
|
msg353301 - (view) |
Author: Dong-hee Na (corona10) *  |
Date: 2019-09-26 13:17 |
@vstinner
Thank you for the feedback.
I've updated the PR with the unit test you suggested :-)
|
msg353395 - (view) |
Author: STINNER Victor (vstinner) *  |
Date: 2019-09-27 19:59 |
New changeset e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa by Victor Stinner (Dong-hee Na) in branch 'master':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
https://github.com/python/cpython/commit/e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa
|
msg353403 - (view) |
Author: miss-islington (miss-islington) |
Date: 2019-09-27 20:18 |
New changeset 39a0c7555530e31c6941a78da19b6a5b61170687 by Miss Islington (bot) in branch '3.7':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
https://github.com/python/cpython/commit/39a0c7555530e31c6941a78da19b6a5b61170687
|
msg353404 - (view) |
Author: miss-islington (miss-islington) |
Date: 2019-09-27 20:19 |
New changeset 6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28 by Miss Islington (bot) in branch '3.8':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
https://github.com/python/cpython/commit/6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28
|
msg353407 - (view) |
Author: STINNER Victor (vstinner) *  |
Date: 2019-09-27 20:27 |
@Dong-hee Na: Would you mind to try to backport the change to Python 2.7 which also has the bug?
|
msg353418 - (view) |
Author: Dong-hee Na (corona10) *  |
Date: 2019-09-27 21:49 |
Sure!
|
msg353440 - (view) |
Author: Ned Deily (ned.deily) *  |
Date: 2019-09-28 07:33 |
New changeset 1698cacfb924d1df452e78d11a4bf81ae7777389 by Ned Deily (Victor Stinner) in branch '3.6':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441)
https://github.com/python/cpython/commit/1698cacfb924d1df452e78d11a4bf81ae7777389
|
msg353668 - (view) |
Author: STINNER Victor (vstinner) *  |
Date: 2019-10-01 10:58 |
New changeset 8eb64155ff26823542ccf0225b3d57b6ae36ea89 by Victor Stinner (Dong-hee Na) in branch '2.7':
[2.7] bpo-38243: Escape the server title of DocXMLRPCServer (GH-16447)
https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89
|
msg353677 - (view) |
Author: STINNER Victor (vstinner) *  |
Date: 2019-10-01 11:51 |
I prefer to keep it open until the 3.5 backport is merged.
|
msg353689 - (view) |
Author: Dong-hee Na (corona10) *  |
Date: 2019-10-01 12:21 |
> I prefer to keep it open until the 3.5 backport is merged.
Sorry, I didn't find it.
Yes, we should let it open until the PR is merged.
|
msg355614 - (view) |
Author: Larry Hastings (larry) *  |
Date: 2019-10-29 05:40 |
New changeset 3fe1b19265b55c290fc956e9aafcf661803782de by larryhastings (Victor Stinner) in branch '3.5':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441) (#16516)
https://github.com/python/cpython/commit/3fe1b19265b55c290fc956e9aafcf661803782de
|
msg361819 - (view) |
Author: STINNER Victor (vstinner) *  |
Date: 2020-02-11 14:36 |
CVE-2019-16935 has been assigned to this vulnerability.
|
msg364855 - (view) |
Author: STINNER Victor (vstinner) *  |
Date: 2020-03-23 14:58 |
Charalampos Strataris's advice: If you backport the security fix and test_docxmlrpc starts to hang randomly, you should also backport bpo-27614 fix. For example, it's the commit 3911d8333c5b6f9374fa11ab7c912f1471580f0f for Python 2.7. We had the issue on RHEL 7.
|
|
Date |
User |
Action |
Args |
2022-04-11 14:59:20 | admin | set | github: 82424 |
2020-03-23 14:58:02 | vstinner | set | messages:
+ msg364855 |
2020-02-11 14:36:14 | vstinner | set | messages:
+ msg361819 title: A reflected XSS in python/Lib/DocXMLRPCServer.py -> [security][CVE-2019-16935] A reflected XSS in python/Lib/DocXMLRPCServer.py |
2019-10-29 05:43:00 | larry | set | status: open -> closed resolution: fixed |
2019-10-29 05:40:18 | larry | set | nosy:
+ larry messages:
+ msg355614
|
2019-10-01 12:21:52 | corona10 | set | messages:
+ msg353689 |
2019-10-01 11:51:17 | vstinner | set | status: closed -> open resolution: fixed -> (no value) messages:
+ msg353677
|
2019-10-01 11:28:39 | corona10 | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
2019-10-01 10:59:41 | vstinner | set | pull_requests:
+ pull_request16106 |
2019-10-01 10:58:04 | vstinner | set | messages:
+ msg353668 |
2019-09-28 07:33:05 | ned.deily | set | nosy:
+ ned.deily messages:
+ msg353440
|
2019-09-28 01:20:27 | corona10 | set | pull_requests:
+ pull_request16026 |
2019-09-27 21:49:22 | corona10 | set | messages:
+ msg353418 |
2019-09-27 20:27:01 | vstinner | set | messages:
+ msg353407 |
2019-09-27 20:19:44 | miss-islington | set | messages:
+ msg353404 |
2019-09-27 20:18:19 | miss-islington | set | nosy:
+ miss-islington messages:
+ msg353403
|
2019-09-27 20:03:20 | vstinner | set | pull_requests:
+ pull_request16020 |
2019-09-27 20:00:25 | miss-islington | set | pull_requests:
+ pull_request16019 |
2019-09-27 20:00:15 | miss-islington | set | pull_requests:
+ pull_request16018 |
2019-09-27 19:59:40 | vstinner | set | messages:
+ msg353395 |
2019-09-26 13:17:38 | corona10 | set | messages:
+ msg353301 |
2019-09-25 11:01:41 | vstinner | set | messages:
+ msg353170 |
2019-09-25 11:00:43 | vstinner | set | messages:
+ msg353169 |
2019-09-25 04:40:29 | corona10 | set | messages:
+ msg353140 |
2019-09-25 04:23:41 | corona10 | set | keywords:
+ patch stage: patch review pull_requests:
+ pull_request15953 |
2019-09-25 02:08:49 | corona10 | set | messages:
+ msg353132 |
2019-09-25 01:43:44 | corona10 | set | nosy:
+ corona10
|
2019-09-25 01:10:13 | vstinner | set | nosy:
+ vstinner, mdk
|
2019-09-21 19:34:38 | ned.deily | set | keywords:
+ security_issue priority: normal -> high versions:
+ Python 2.7, Python 3.5, Python 3.6, Python 3.8, Python 3.9 |
2019-09-21 04:25:04 | xtreak | set | nosy:
+ xtreak messages:
+ msg352922
|
2019-09-21 02:17:30 | longwenzhang | create | |