classification
Title: A reflected XSS in python/Lib/DocXMLRPCServer.py
Type: security Stage: resolved
Components: Library (Lib) Versions: Python 3.9, Python 3.8, Python 3.7, Python 3.6, Python 3.5, Python 2.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: corona10, longwenzhang, mdk, miss-islington, ned.deily, vstinner, xtreak
Priority: high Keywords: patch, security_issue

Created on 2019-09-21 02:17 by longwenzhang, last changed 2019-10-01 12:21 by corona10.

Files
File name Uploaded Description Edit
poc.py longwenzhang, 2019-09-21 02:17
Pull Requests
URL Status Linked Edit
PR 16373 merged corona10, 2019-09-25 04:23
PR 16439 merged miss-islington, 2019-09-27 20:00
PR 16440 merged miss-islington, 2019-09-27 20:00
PR 16441 merged vstinner, 2019-09-27 20:03
PR 16447 merged corona10, 2019-09-28 01:20
PR 16516 open vstinner, 2019-10-01 10:59
Messages (16)
msg352921 - (view) Author: longwenzhang (longwenzhang) * Date: 2019-09-21 02:17
It's "Lib/DocXMLRPCServer.py" in python2x or "Lib/xmlrpc/server.py" in python3x.

Steps to reproduce:

1.Lib/DocXMLRPCServer.py is “a documenting XML-RPC Server“,In the Class ServerHTMLDoc, method markup(), will escape the Special symbols to safe(such as <," etc).
2.But it only escape the content from server.set_server_name() and server.set_server_documentation(),the "title" content from the server.set_server_title() will not be escaped, so if I set_server_title('123</title><script>alert(1)</script>'), it will cause XSS because not escaped.
3.I see the alert in Chrome by visiting http://127.0.0.1,the Poc is the poc.py(run in python2.7) in attachments.
4.Problems seems to be at
https://github.com/python/cpython/blob/master/Lib/xmlrpc/server.py#L897 "return documenter.page(self.server_title,documentation)".Before this line,variable "documentation" has been escaped but self.server_title not.This is the main cause.
msg352922 - (view) Author: Karthikeyan Singaravelan (xtreak) * (Python triager) Date: 2019-09-21 04:25
Thanks for the report. There is a policy to report security vulnerabilities in CPython : https://www.python.org/news/security/.
msg353132 - (view) Author: Dong-hee Na (corona10) * (Python triager) Date: 2019-09-25 02:08
Looks like this issue can be solved by below code changed.

@@ -833,7 +834,7 @@ class XMLRPCDocGenerator:
     def set_server_title(self, server_title):
         """Set the HTML title of the generated server documentation"""

-        self.server_title = server_title
+        self.server_title = html.escape(server_title)
msg353140 - (view) Author: Dong-hee Na (corona10) * (Python triager) Date: 2019-09-25 04:40
I've proposed the patch on GitHub which escaping the server_title when the documenter.page is called. (It different point with msg353132.
msg353169 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-09-25 11:00
> Thanks for the report. There is a policy to report security vulnerabilities in CPython : https://www.python.org/news/security/.

The private security mailing list has been contacted first and we advice to open a public issue since we consider that it's not a major security issue.

To exploit this bug, the attacker has to control the XML-RPC server title.
msg353170 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-09-25 11:01
> I've proposed the patch on GitHub which escaping the server_title when the documenter.page is called. (It different point with msg353132.

The attached poc.py seems to show that server name and server documentation are not escaped neither.

server.set_server_name('test<script>')
server.set_server_documentation('test<script>')

Well, please write a test to check that ;-)
msg353301 - (view) Author: Dong-hee Na (corona10) * (Python triager) Date: 2019-09-26 13:17
@vstinner

Thank you for the feedback.
I've updated the PR with the unit test you suggested :-)
msg353395 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-09-27 19:59
New changeset e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa by Victor Stinner (Dong-hee Na) in branch 'master':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
https://github.com/python/cpython/commit/e8650a4f8c7fb76f570d4ca9c1fbe44e91c8dfaa
msg353403 - (view) Author: miss-islington (miss-islington) Date: 2019-09-27 20:18
New changeset 39a0c7555530e31c6941a78da19b6a5b61170687 by Miss Islington (bot) in branch '3.7':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
https://github.com/python/cpython/commit/39a0c7555530e31c6941a78da19b6a5b61170687
msg353404 - (view) Author: miss-islington (miss-islington) Date: 2019-09-27 20:19
New changeset 6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28 by Miss Islington (bot) in branch '3.8':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
https://github.com/python/cpython/commit/6447b9f9bd27e1f6b04cef674dd3a7ab27bf4f28
msg353407 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-09-27 20:27
@Dong-hee Na: Would you mind to try to backport the change to Python 2.7 which also has the bug?
msg353418 - (view) Author: Dong-hee Na (corona10) * (Python triager) Date: 2019-09-27 21:49
Sure!
msg353440 - (view) Author: Ned Deily (ned.deily) * (Python committer) Date: 2019-09-28 07:33
New changeset 1698cacfb924d1df452e78d11a4bf81ae7777389 by Ned Deily (Victor Stinner) in branch '3.6':
bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441)
https://github.com/python/cpython/commit/1698cacfb924d1df452e78d11a4bf81ae7777389
msg353668 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-10-01 10:58
New changeset 8eb64155ff26823542ccf0225b3d57b6ae36ea89 by Victor Stinner (Dong-hee Na) in branch '2.7':
[2.7] bpo-38243: Escape the server title of DocXMLRPCServer (GH-16447)
https://github.com/python/cpython/commit/8eb64155ff26823542ccf0225b3d57b6ae36ea89
msg353677 - (view) Author: STINNER Victor (vstinner) * (Python committer) Date: 2019-10-01 11:51
I prefer to keep it open until the 3.5 backport is merged.
msg353689 - (view) Author: Dong-hee Na (corona10) * (Python triager) Date: 2019-10-01 12:21
> I prefer to keep it open until the 3.5 backport is merged.
Sorry, I didn't find it.
Yes, we should let it open until the PR is merged.
History
Date User Action Args
2019-10-01 12:21:52corona10setmessages: + msg353689
2019-10-01 11:51:17vstinnersetstatus: closed -> open
resolution: fixed ->
messages: + msg353677
2019-10-01 11:28:39corona10setstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2019-10-01 10:59:41vstinnersetpull_requests: + pull_request16106
2019-10-01 10:58:04vstinnersetmessages: + msg353668
2019-09-28 07:33:05ned.deilysetnosy: + ned.deily
messages: + msg353440
2019-09-28 01:20:27corona10setpull_requests: + pull_request16026
2019-09-27 21:49:22corona10setmessages: + msg353418
2019-09-27 20:27:01vstinnersetmessages: + msg353407
2019-09-27 20:19:44miss-islingtonsetmessages: + msg353404
2019-09-27 20:18:19miss-islingtonsetnosy: + miss-islington
messages: + msg353403
2019-09-27 20:03:20vstinnersetpull_requests: + pull_request16020
2019-09-27 20:00:25miss-islingtonsetpull_requests: + pull_request16019
2019-09-27 20:00:15miss-islingtonsetpull_requests: + pull_request16018
2019-09-27 19:59:40vstinnersetmessages: + msg353395
2019-09-26 13:17:38corona10setmessages: + msg353301
2019-09-25 11:01:41vstinnersetmessages: + msg353170
2019-09-25 11:00:43vstinnersetmessages: + msg353169
2019-09-25 04:40:29corona10setmessages: + msg353140
2019-09-25 04:23:41corona10setkeywords: + patch
stage: patch review
pull_requests: + pull_request15953
2019-09-25 02:08:49corona10setmessages: + msg353132
2019-09-25 01:43:44corona10setnosy: + corona10
2019-09-25 01:10:13vstinnersetnosy: + vstinner, mdk
2019-09-21 19:34:38ned.deilysetkeywords: + security_issue
priority: normal -> high
versions: + Python 2.7, Python 3.5, Python 3.6, Python 3.8, Python 3.9
2019-09-21 04:25:04xtreaksetnosy: + xtreak
messages: + msg352922
2019-09-21 02:17:30longwenzhangcreate