CVE-2019-10160: urlsplit NFKD normalization vulnerability in user:password@ #80923
Comments
|
urllib.parse.urlsplit raises an exception for an url including a non-ascii hostname in NFKD form and a port number. example:
>>> urlsplit('http://\u30d5\u309a:80')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/Users/ito/.maltybrew/deen/lib/python3.7/urllib/parse.py", line 437, in urlsplit
_checknetloc(netloc)
File "/Users/ito/.maltybrew/deen/lib/python3.7/urllib/parse.py", line 407, in _checknetloc
"characters under NFKC normalization")
ValueError: netloc 'プ:80' contains invalid characters under NFKC normalization
>>> urlsplit('http://\u30d5\u309a')
SplitResult(scheme='http', netloc='プ', path='', query='', fragment='')
>>> urlsplit(unicodedata.normalize('NFKC', 'http://\u30d5\u309a:80'))
SplitResult(scheme='http', netloc='プ:80', path='', query='', fragment='')I believe this behavior was introduced at Python 3.7.3. Python 3.7.2 doesn't raise any exception for these lines. |
hokousya
mannequin
added
3.7 (EOL)
|
This could be due to bpo-36216. |
|
Yes, it's due to that. I guess we need to do netloc.rpartition(':') like we currently do for '@' in _checknetloc. Promoting to release blocker and security issue to match the original issue. I can't get to this today, but I should be able to at the PyCon sprints next week if nobody else gets it sooner. |
zooba
added
3.8
|
I found the time to get the first patch. Hopefully backports to 3.6 and 3.7 are easy, but I think 2.7 will take manual steps. Chihiro Ito - if you have other test scenarios, it would be great if you could try them out with the fix in PR 13017. It should be easy enough to copy into your installed Python. |
|
I have confirmed that all of my app's test cases have passed. What I've done:
Thank you for the quick fix! |
|
I'll leave the 3.6 backport in Ned's hands and close this issue. |
3.5 was added as an affected version and seems the original fix was merged to 3.5 too. 3.4 is EoL so is it worthy of backporting to 3.5? I guess the backport would not have merge conflicts and is straightforward. |
|
Yes, you're right. I'll do that port as well. |
|
Thanks for this engagement and pull requests, Steve. |
vstinner
changed the title
|
CVE-2019-10160 has been assigned by Red Hat to this flaw. |
|
The fix for python-2.7 (https://github.com/python/cpython/pull/13815/files#diff-b577545d73dd0cdb2c337a4c5f89e1d7R183) causes errors when netloc contains characters that can't be encoded by 'ascii' codec. You can see it by doing:
>>> netloc = u'example.com\uFF03@bing.com'
>>> raise ValueError(u"netloc '" + netloc + u"' contains invalid characters under NFKC normalization")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
ValueError: <exception str() failed>
>>> str(netloc)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
UnicodeEncodeError: 'ascii' codec can't encode character u'\uff03' in position 11: ordinal not in range(128)I suggest we use |
For clarity, CVE-2019-10160 has been assigned to the bug introduced with the fix for the functional regression mentioned in this bug, and not to the bug itself explained in the first comment. See https://bugzilla.redhat.com/show_bug.cgi?id=1718388 for more details about it. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: