New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security][ CVE-2020-26116] http.client: HTTP Header Injection in the HTTP method #83784
Comments
I recently came across a bug during a pentest that's allowed me to perform some really interesting attacks on a target. While originally discovered in requests, I had been forwarded to one of the urllib3 developers after agreeing that fixing it at it's lowest level would be preferable. I was informed that the vulnerability is also present in http.client and that I should report it here as well. The 'method' parameter is not filtered to prevent the injection from altering the entire request. For example:
>>> conn = http.client.HTTPConnection("localhost", 80)
>>> conn.request(method="GET / HTTP/1.1\r\nHost: abc\r\nRemainder:", url="/index.html") This will result in the following request being generated: This was originally found in an HTTP proxy that was utilising Requests. It allowed me to manipulate the original path to access different files from an internal server since the developers had assumed that the method would filter out non-standard HTTP methods. The recommended solution is to only allow the standard HTTP methods of GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, and PATCH. An alternate solution that would allow programmers to use non-standard methods would be to only support characters [a-z] and stop reading at any special characters (especially newlines and spaces). |
I don't think that we have to be so strict. We can maybe restrict the HTTP method to ASCII letters, or just reject control characters (U+0000-U+001f). Similar issues (fixed): |
I agree that the solution is quite restrictive. |
can I work on it?! |
@vstinner sorry to bother you, I have a quick question. the request(...) method is like this: def request(self, method, url, body=None, headers={}, *,
encode_chunked=False):
"""Send a complete request to the server."""
self._send_request(method, url, body, headers, encode_chunked) 'request' calls '_send_request' method and '_send_request' calls 'putrequest' inside itself. So is it good if I encode 'method' parameter to ASCII inside 'putrequest'??! |
Welcome to work on the patch, Amir.
It will similar to one of the examples Victor has shared. |
Hey, it's been a week since the last activity here... |
The 3.9 and 3.8 backports are waiting for tests to complete. The 3.7 and 3.6 backports need to be merged by the RM (Ned). Then someone can close this issue. |
Merged for release in 3.9.0b5, 3.8.5, 3.7.9, and 3.6.12. Thanks, everyone! |
I've just noticed an issue with the current version of the patch. It should also include 0x20 (space) since that can also be used to manipulate the request. |
Can you indicate how to use a space in the HTTP verb as part of an attack? |
Hello, CVE-2020-26116 has been requested/assigned for this flaw via MITRE form: https://cveform.mitre.org/ I suggest mentioning it in the related vulnerability page: https://python-security.readthedocs.io/vuln/http-header-injection-method.html Also note that httplib (python-2.7.18) seems to be affected too. Any particular reason for it not to be listed in the same vulnerability page? Thank you, |
Yes: 2.7 has been end-of-lifed and is no longer supported. |
Mauro Matteo Cascella: "CVE-2020-26116 has been requested/assigned for this flaw via MITRE form: https://cveform.mitre.org/ I suggest mentioning it in the related vulnerability page: https://python-security.readthedocs.io/vuln/http-header-injection-method.html" Thanks, done. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: