New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
asynchat does not check if terminator is negative integer #55468
Comments
asynchat does not check if terminator is negative integer. so constructions like self.ac_in_buffer[:n] will lead to misbehaviour. When that integer goes from net, attack can be crafted. For example, on Content-Length field. |
What do you mean by "constructions like self.ac_in_buffer[:n] will lead to misbehaviour."? |
asynchat.py: class async_chat: handle_read(): Moreover, "self.ac_in_buffer = self.ac_in_buffer[n:]" shoudl give tail of the buffer, ut instead of this, "self.ac_in_buffer" will contain part of the tail. Such behaviour may break protocol parsing. In my case, malicious user pass 'Content-Length: -100' and totally break protocol parsing. Crafted values may gain memory leak. In any way, author of this code does not thought about negative n in constructions [:n] or [n:]. |
Can you provide a patch including a test case? |
Real patch is the first hunk of attached file. Other 2 hunks are optimizations.. |
only first hunk is really the patch. 2 next hunks are optimizations. |
===== ORIGINAL =========== $ ./qwe.py 10
read length: 10
read data: "xxxxxxxxxx"
should read "test". read: "test"
$ ./qwe.py -10
read length: -10
read data: "xxxxxx"
should read "test". read: "xxxxtest" ===== PATCHED =========== $ ./qwe.py 10
read length: 10
read data: "xxxxxxxxxx"
should read "test". read: "test"
$ ./qwe.py -10
read length: -10
error: uncaptured python exception, closing channel <__main__.http_request_handler connected '' at 0x7fe69b9bf878> (<type 'exceptions.ValueError'>:Negative terminator value is not allowed [/usr/lib/python2.6/asyncore.py|read|78] [/usr/lib/python2.6/asyncore.py|handle_read_event|428] [/tmp/qwe/asynchat.py|handle_read|160] [./qwe.py|found_terminator|19] [/tmp/qwe/asynchat.py|set_terminator|98])
root@fad:/tmp/qwe# |
Can you write an actual patch which includes tests? |
|
By "writing a test" I mean adding a unittest-based test case in Lib/test/test_asynchat.py which fails before fixing Lib/asynchat.py and succeeds afterwards. Now, I'm not even sure I properly understood your bug exactly. In this case, taking a look at a test would help me (and others) to understand what you are complaining about exactly and figure out whether this is actually a bug and if it is worth fixing it. As for how to properly write a patch see: |
attached shorttest.py do the test. If negative terminator is passed, ValueError exception will raise on patched version, and will not raise in unpatched. Currently, I studying test system for python, but I think you will add such simple test faster and cleaner. |
I agree that this is probably a bug, but can't think of any instances where this in itself would cause a security issue. By sending something like a negative Content-Length, you do indeed get data returned that doesn't really match the data sent on the wire. If you're able to manipulate the Content-Length, though, instead of sending a negative value num, you could instead send len(data) + num. Here's a simple example I was able to come up with: Server reads data and runs "echo -n > {data}" (or any write the file specified in "data"). So that's certainly unexpected bahavior. However, this is a fairly low-level module, and doesn't actually do anything with the data it collects. That's left to the subclass, and subclasses should be responsible for validating any data read off the wire before using it. Attached is a patch to tip, including a new test case. |
updating the patch to the current tip |
I've no objection to people trying to take this forward but they should be aware that asyncio is recommended for new code. |
New changeset f67df13dd512 by Victor Stinner in branch '3.4': New changeset d164fda9063a by Victor Stinner in branch 'default': |
This issue is now fixed, thanks for the report. Sorry for the delay :-( Asy Mark wrote, asynchat is now deprecated: it's time to switch to the new shiny asyncio module! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: