[security][CVE-2019-9740][CVE-2019-9947] HTTP Header Injection (follow-up of CVE-2016-5699) #74643
Comments
|
Hi, the patch in CVE-2016-5699 can be broke by an addition space. import urllib, urllib2
urllib.urlopen('http://127.0.0.1\r\n\x20hihi\r\n :11211')
urllib2.urlopen('http://127.0.0.1\r\n\x20hihi\r\n :11211') |
|
Looking at the code and the previous issue bpo-22928, CRLF immediately followed by a tab or space (obs-fold: CRLF 1*( SP / HTAB )) is a valid part of a header value so the regex deliberately ignore them. So it looks right to me the url given doesn't raise the same exception as the url without spaces, though the given url seems malformed. |
|
You can also inject proper HTTP header fields (or do multiple requests) if you omit the space after the CRLF: urlopen("http://localhost:8000/ HTTP/1.1\r\nHEADER: INJECTED\r\nIgnore:")Data sent to the server:
>>> server = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)
>>> server.bind(("localhost", 8000))
>>> server.listen()
>>> [conn, addr] = server.accept()
>>> pprint(conn.recv(300).splitlines(keepends=True))
[b'GET / HTTP/1.1\r\n',
b'HEADER: INJECTED\r\n',
b'Ignore: HTTP/1.1\r\n',
b'Accept-Encoding: identity\r\n',
b'User-Agent: Python-urllib/3.5\r\n',
b'Connection: close\r\n',
b'Host: localhost:8000\r\n',
b'\r\n']bpo-14826 is already open about how “urlopen” handles spaces, and there is a patch in bpo-13359 that proposes to also encode newline characters. But if the CRLF or header injection is a security problem, then 2.7 etc could be changed to raise an exception (like bpo-22928), or to do percent encoding. |
|
Actually, the CRLF + space can be injected via percent encoding, so just dealing with literal CRLFs and spaces wouldn’t be enough. You would have to validate the hostname after it is decoded. urlopen("http://127.0.0.1%0D%0A%20SLAVEOF . . . :6379/")>>> pprint(conn.recv(300).splitlines(keepends=True))
[b'GET / HTTP/1.1\r\n',
b'Accept-Encoding: identity\r\n',
b'Host: 127.0.0.1\r\n',
b' SLAVEOF . . . :6379\r\n',
b'Connection: close\r\n',
b'User-Agent: Python-urllib/2.7\r\n',
b'\r\n'] |
|
See also https://bugs.python.org/issue36276 for a similar report. I think it's better to raise an error instead of encoding CRLF characters in URL similar to headers. I feel either of the issue and more preferably bpo-36276 closed as a duplicate of this one. Copy of msg337968 with reference to details about similar report in golang : For reference an exact report on golang repo : golang/go#30794 . This seemed to have been fixed in latest golang release 1.12 and commit golang/go@829c5df . The commit introduces a check for CTL characters and throws an error for URLs something similar to Python does for headers now at bf3e1c9b80e9. func isCTL(r rune) bool { if strings.IndexFunc(ruri, isCTL) != -1 {
return errors.New("net/http: can't write control character in Request.URL")
}So below program used to work before go 1.12 setting a key on Redis but now it throws error : package main import "fmt" func main() { ➜ go version Looking more into the commit there seemed to be a solution towards escaping characters with golang/go#22907 . The fix seemed to have broke Google's internal tests [0] and hence reverted to have the above commit where only CTL characters were checked and raises an error. I think this is a tricky bug upon reading code reviews in the golang repo that has around 2-3 reports with a fix committed to be reverted later for a more conservative fix and the issue was reopened to target go 1.13 . Thanks a lot for the report @ragdoll.guo [0] https://go-review.googlesource.com/c/go/+/159157/2#message-39c6be13a192bf760f6318ac641b432a6ab8fdc8 |
|
The CVE-2019-9740 has been assigned to the bpo-36276: ... which has been marked as a duplicate of this issue. |
vstinner
changed the title
|
Martin claimed "Actually, the CRLF + space can be injected via percent encoding" I am unable to reproduce that behavior using urllib.request.urlopen() or urllib.request.URLopener.open() in my master/3.8 tree. |
|
Oh, I didn't recall that this issue (this class of security vulnerabilities) has a so old history. I found *A LOT* of similar open issues. Here are my notes. Maybe most open issues should be closed as duplicate of this one to clarify the status of urllib in Python? :-) Emails:
Open issues:
Closed issues:
Rejected pull requests:
|
Gregory P. Smith just marked bpo-35906 as a duplicate of this issue. Copy of his msg339842: """ i do not think this one deserved its own CVE; at least https://nvd.nist.gov/vuln/detail/CVE-2019-9947's current text also points to the other one. Until the status of CVE-2019-9947 is clarified, I added CVE-2019-9947 in the title of this issue to help to better track all CVEs :-) Did someone contact the CVE organization to do something with CVE-2019-9947? |
vstinner
changed the title
I don't know how CVE are assigned. Since this issue started with "the patch in CVE-2016-5699 can be broke by an addition space", would it make sense to reuse CVE-2016-5699 rather than using a new CVE? |
vstinner
changed the title
|
As @gregory.p.smith noted in GitHub [0] this fixes only protocol level bugs. There are some parsing ambiguities in urllib that are potential security issues still to be fixed. bpo-20271 - urllib.urlparse('http://benign.com\\[attacker.com]') returns attacker.com as hostname . A slightly related issue https://bugs.python.org/issue20271 As a fun side note this vulnerability was used by one of our own tests as a feature from 2012 to test another security issue (bpo-14001) [1] :) [0] #12755 (comment) |
|
Gregory, I haven’t tried recent Python code, but I expect the problem with percent decoding is still there. If you did try my example, what results did you see? Be aware that these techniques only work if the OS co-operates and connects to localhost when you give it the longer host string. At the moment I have glibc 2.26 on x86-64 Linux. In the Python 3 master branch, the percent-encoding should be decoded in “urllib.request.Request._parse”: def _parse(self):
...
self.host, self.selector = _splithost(rest)
if self.host:
self.host = unquote(self.host)Then in “AbstractHTTPHandler.do_request_” the decoded host string becomes the “Host” header field value, without any encoding: def do_request_(self, request):
host = request.host
...
sel_host = host
...
if not request.has_header('Host'):
request.add_unredirected_header('Host', sel_host)Perhaps one solution to both my version and Orange’s original version is to encode the “Host” header field value properly. This might also apply to the “http.client” code. |
|
bpo-36276 has been marked as a duplicate of this issue. According to the following message, urllib3 is also vulnerable to HTTP Header Injection: Copy of Alvin Chang's msg337837: """ import urllib3
pool_manager = urllib3.PoolManager()
host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
url = "http://" + host + ":8080/test/?test=a"try: nc -l localhost 7777 |
And the issue has been reported to urllib3: Copy of the first message: """ A commenter mentions that the same bug is present in urllib3: So reporting it here to make sure it gets attention. |
|
Since this issue has a long history and previously attempts to fix it failed, it seems like the Internet is a black or white world, more like a scale of gray... *Maybe* we need to provide a way to allow to pass junk characters in an URL? (disable URL validation) Idea: add an optional parameter to urllib, httplib, maybe also ftplib, to allow arbitrary "invalid" URLs / FTP commands. It would be a parameter *per request*, not a global option. I don't propose to have a global configuration option like an environment variable, urllib attribute or something else. A global option would be hard to control and would impact just too much code. My PEP-433 has been rejected because of the sys.setdefaultcloexec(cloexec: bool) function which allowed to change globally the behavior of Python. The PEP-446 has been accepted with no *global* option to opt-in for the old behavior, but only "local" *per file descriptor*: os.set_inheritable(fd, inheritable). |
We should not do this in our http protocol stack code. Anyone who _wants_ that is already intentionally violating the http protocol which defeats the entire purpose of our library and the parameter named "url". Will this break something in the world other than our own test_xmlrpc test? Probably. Do they have a right to complain about it? Not one we need listen to. Such code is doing something that was clearly an abuse of the API. The parameter was named url not raw_data_to_stuff_subversively_into_the_binary_protocol. Its intent was clear. |
I understand. But. Can we consider that for old Python versions like Python 2.7 and 3.5? This change will be applied to all supported Python versions. I recall that when Python 2.7 started to validate TLS certificate, the change broke some applications. Are these applications badly written? Yes! But well, "it worked well before". Sometimes, when you work in a private network, the security matters less, whereas it might be very expensive to fix a legacy application. At Red Hat, we developed a solution to let customers to opt-out from this fix (to no validate TLS certificates), because it is just too expensive for customers to fix their legacy code but they would like to be able to upgrade RHEL. One option to not validate URLs is to downgrade Python, but I'm not sure that it's the best compromise :-/ |
|
It seems like a change has been pushed into urllib3 to fix this issue, but that there is an issue with international URLs and that maybe RFC 3986 should be updated. RFC 3986: "Uniform Resource Identifier (URI): Generic Syntax" (January 2005) "Without bpo-1531 or IRI support in rfc3986 releasing master in it's current state will break backwards compatibility with international URLs." urllib3/urllib3#1553 (comment) => where 1531 means urllib3/urllib3#1531 "wave Hi! I've noticed that CVE-2019-11236 has been assigned to the CRLF injection issue described here. It seems that the library has been patched in GitHub, but no new release has been made to pypi. Will a new release containing the fix be made to pypi soon? Based on @theacodes comment it seems like a release was going to be made, but I also see her status has her perhaps unavailable. Is someone else perhaps able to cut a new release into pypi?" |
|
"wave Hi! I've noticed that CVE-2019-11236 has been assigned to the CRLF injection issue described here. It seems that the library has been patched in GitHub, but no new release has been made to pypi. (...)" This urllib3 change: urllib3 now vendors a copy of the rfc3986 library: |
There are multiple Python projects to validate URI:
|
|
Assigning to Larry to decide if he wants to merge that PR into 3.5 or not. |
|
Note for myself: Python 2 urllib.urlopen(url) always quotes the URL and so is not vulnerable to HTTP Header Injection (at least, not to this issue ;-)). |
|
The commit b7378d7 is incomplete: it doesn't seem to check for control characters in the "host" part of the URL, only in the "path" part of the URL. Example: The URL comes from the first message of this issue: Development branches 2.7 and master produce a similar output: Traceback (most recent call last):
...
Exception: (('127.0.0.1\r\n hihi\r\n ', 11211), ..., None)So urllib2/urllib.request actually does a real network connection (DNS query), whereas it should reject control characters in the "host" part of the URL. A second problem comes into the game. Some C libraries like glibc strip the end of the hostname (strip at the first newline character) and so HTTP Header injection is still possible is this case: According to the RFC 3986, the "host" grammar doesn't allow any control character, it looks like: host = IP-literal / IPv4address / reg-nameALPHA (letters) IP-literal = "[" ( IPv6address / IPvFuture ) "]" |
vstinner
added
3.7 (EOL)
|
Okay, the url variable against which the regex check is made is not the full url but the path. The HTTPConnection class sets self.host [0] in the constructor which is used to send the Host header. Perhaps the regex check could be done for the host too given the path check is already done in the previous commit. With that the reported host also throws a http.client.InvalidURL exception.
The bug link raises permission error. Does fixing the host part fix this issue too since there won't be any socket connection made? Is it possible to have a Python reproducer of this issue? [0] Line 829 in 7f41c8e |
I think this was supposed to refer to CVE-2016-10739 (https://bugzilla.redhat.com/show_bug.cgi?id=1347549) |
|
Will the flaw outlined in https://bugs.python.org/issue30458#msg347282 be fixed in python itself? If so, I think a CVE for python should be requested to MITRE (I can request one, in that case). Moreover, does it make sense to create a new bug to track the new issue? This bug already references 3 CVEs and it would probably just create more confusion to reference a 4th. What do you think? |
|
I'm not a fan of CVE numbers in general, people have been creating too many of those. But that also means I just don't care if someone does. Having a CVE entry is not a way to claim something is important. This issue is still open and can be used to track dealing with the host. |
|
This change caused a regression or two captured in bpo-36274. Essentially, by blocking invalid requests, it's now not possible for a system intentionally to generate invalid requests for testing purposes. As these point releases of Python start making it into the wild, the impact of this change will likely increase. I think this patch was applied at too low a level. That is, instead of protecting the user inputs, the change protects the programmer's inputs. I mention this here so those interested can follow the mitigation work happening in bpo-36274. |
|
If I understand Jason's message correctly, the changes for bpo-30458 introduced a regression in 3.7.4 and will introduce the same regression in other branches as they are released, including 3.5.8 whose rc1 is now in testing. 3.7.5rc1 is scheduled to be tagged later today. Is this regression serious enough that we should hold 3.7.5 and/or 3.5.8 for a fix? If so, there should probably be a separate issue for it unless it is necessarily intertwined with the resolution of bpo-36274. I'm provisionally setting the status of this issue to "release blocker". |
|
Should we open a separate issue to track fixing the regression? |
Yes, I think so. The ticket I referenced mainly addresses an incompatibility that was introduced with Python 3.0, so is much less urgent than the one introduced more recently, so I believe it deserves a proper, independent description and discussion. I'll gladly file that ticket, tonight most likely. |
|
I've created bpo-38216 to address the (perceived) regression. |
|
With the breaking out of the portential and/or actual regression (e.g. invalid requests can no longer be crafted) into bpo-38216, itself a potential release blocker, we are still left here with the as-yet unresolved issue identified above in msg34728 (e.g. not checking for control characters in the "host" part of the URL, only the "path" part). Since this also affects so many branches/releases and has external components (CVE's, third-party impacts), it probably would have made sense to break it out into a separate issue (and maybe it still does). But since this problem has been present for many releases (apparently), I would rather not further hold the 3.7.5 release for a resolution (though that would be a good thing) so I'm going to change the priority for the moment to "deferred blocker". But we need someone (preferably a core dev already involved) to take charge of this and push it to a resolution. Thanks for everyone's help so far! |
|
CVE-2019-18348 has been assigned to the issue explained in https://bugs.python.org/issue30458#msg347282 . Maybe a separate bug for it would be better though. CVE-2019-18348 is about injecting CRLF in HTTP requests through the *host* part of a URL. |
|
Can you please open a separate issue for CVE-2019-18348? It is easier to track that way. (META: In general I think the CVE process is being abused and that these really did not deserve that treatment. https://lwn.net/Articles/801157/ is good reading and food for thought.) |
|
I have created https://bugs.python.org/issue38576 to address CVE-2019-18348. @gregory.p.smith if you have particular complains about these CVEs feel free to let me know (even privately). I think the security impact of these flaws is: an application that relies on urlopen/HTTPConnection/etc. where either the query part, the path part or the host part are user-controlled, could be exploited to send unintended HTTP headers to other hosts (maybe services that would not be directly reachable by the user). FYI, there were some good replies to that CVE talk, one of which is https://grsecurity.net/reports_of_cves_death_greatly_exaggerated . |
|
i believe new work will be done via the new issue. marking this closed. if there is something not covered by bpo-38576 that remains, please open a new issue for it. new discussion on this long issue is easy to get lost in. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: