Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security][CVE-2019-16935] A reflected XSS in python/Lib/DocXMLRPCServer.py #82424

Closed
lwzSoviet mannequin opened this issue Sep 21, 2019 · 19 comments
Closed

[security][CVE-2019-16935] A reflected XSS in python/Lib/DocXMLRPCServer.py #82424

lwzSoviet mannequin opened this issue Sep 21, 2019 · 19 comments
Labels
3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes stdlib Python modules in the Lib dir type-security A security issue

Comments

@lwzSoviet
Copy link
Mannequin

lwzSoviet mannequin commented Sep 21, 2019

BPO 38243
Nosy @vstinner, @larryhastings, @ned-deily, @JulienPalard, @corona10, @miss-islington, @tirkarthi, @lwzSoviet
PRs
  • bpo-38243: Escape the server_title of DocXMLRPCServer when rendering #16373
  • [3.8] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) #16439
  • [3.7] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) #16440
  • [3.6] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) #16441
  • [2.7] bpo-38243: Escape the server title of DocXMLRPCServer #16447
  • [3.5] bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441) #16516
  • Files
  • poc.py
  • Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
    closed_at = <Date 2019-10-29.05:43:00.681>
    created_at = <Date 2019-09-21.02:17:30.141>
    labels = ['type-security', '3.8', '3.7', 'library', '3.9']
    title = '[security][CVE-2019-16935] A reflected XSS in python/Lib/DocXMLRPCServer.py'
    updated_at = <Date 2020-03-23.14:58:02.727>
    user = 'https://github.com/lwzSoviet'

    bugs.python.org fields:

    activity = <Date 2020-03-23.14:58:02.727>
    actor = 'vstinner'
    assignee = 'none'
    closed = True
    closed_date = <Date 2019-10-29.05:43:00.681>
    closer = 'larry'
    components = ['Library (Lib)']
    creation = <Date 2019-09-21.02:17:30.141>
    creator = 'longwenzhang'
    dependencies = []
    files = ['48619']
    hgrepos = []
    issue_num = 38243
    keywords = ['patch', 'security_issue']
    message_count = 19.0
    messages = ['352921', '352922', '353132', '353140', '353169', '353170', '353301', '353395', '353403', '353404', '353407', '353418', '353440', '353668', '353677', '353689', '355614', '361819', '364855']
    nosy_count = 8.0
    nosy_names = ['vstinner', 'larry', 'ned.deily', 'mdk', 'corona10', 'miss-islington', 'xtreak', 'longwenzhang']
    pr_nums = ['16373', '16439', '16440', '16441', '16447', '16516']
    priority = 'high'
    resolution = 'fixed'
    stage = 'resolved'
    status = 'closed'
    superseder = None
    type = 'security'
    url = 'https://bugs.python.org/issue38243'
    versions = ['Python 2.7', 'Python 3.5', 'Python 3.6', 'Python 3.7', 'Python 3.8', 'Python 3.9']

    @lwzSoviet
    Copy link
    Mannequin Author

    lwzSoviet mannequin commented Sep 21, 2019

    It's "Lib/DocXMLRPCServer.py" in python2x or "Lib/xmlrpc/server.py" in python3x.

    Steps to reproduce:

    1.Lib/DocXMLRPCServer.py is “a documenting XML-RPC Server“,In the Class ServerHTMLDoc, method markup(), will escape the Special symbols to safe(such as <," etc).
    2.But it only escape the content from server.set_server_name() and server.set_server_documentation(),the "title" content from the server.set_server_title() will not be escaped, so if I set_server_title('123</title><script>alert(1)</script>'), it will cause XSS because not escaped.
    3.I see the alert in Chrome by visiting http://127.0.0.1,the Poc is the poc.py(run in python2.7) in attachments.
    4.Problems seems to be at
    https://github.com/python/cpython/blob/master/Lib/xmlrpc/server.py#L897 "return documenter.page(self.server_title,documentation)".Before this line,variable "documentation" has been escaped but self.server_title not.This is the main cause.

    @lwzSoviet lwzSoviet mannequin added 3.7 (EOL) end of life stdlib Python modules in the Lib dir type-security A security issue labels Sep 21, 2019
    @tirkarthi
    Copy link
    Member

    Thanks for the report. There is a policy to report security vulnerabilities in CPython : https://www.python.org/news/security/.

    @ned-deily ned-deily added 3.8 only security fixes 3.9 only security fixes labels Sep 21, 2019
    @corona10
    Copy link
    Member

    Looks like this issue can be solved by below code changed.

    @@ -833,7 +834,7 @@ class XMLRPCDocGenerator:
    def set_server_title(self, server_title):
    """Set the HTML title of the generated server documentation"""

    •    self.server_title = server_title
      

    + self.server_title = html.escape(server_title)

    @corona10
    Copy link
    Member

    I've proposed the patch on GitHub which escaping the server_title when the documenter.page is called. (It different point with msg353132.

    @vstinner
    Copy link
    Member

    Thanks for the report. There is a policy to report security vulnerabilities in CPython : https://www.python.org/news/security/.

    The private security mailing list has been contacted first and we advice to open a public issue since we consider that it's not a major security issue.

    To exploit this bug, the attacker has to control the XML-RPC server title.

    @vstinner
    Copy link
    Member

    I've proposed the patch on GitHub which escaping the server_title when the documenter.page is called. (It different point with msg353132.

    The attached poc.py seems to show that server name and server documentation are not escaped neither.

    server.set_server_name('test<script>')
    server.set_server_documentation('test<script>')

    Well, please write a test to check that ;-)

    @corona10
    Copy link
    Member

    @vstinner

    Thank you for the feedback.
    I've updated the PR with the unit test you suggested :-)

    @vstinner
    Copy link
    Member

    New changeset e8650a4 by Victor Stinner (Dong-hee Na) in branch 'master':
    bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
    e8650a4

    @miss-islington
    Copy link
    Contributor

    New changeset 39a0c75 by Miss Islington (bot) in branch '3.7':
    bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
    39a0c75

    @miss-islington
    Copy link
    Contributor

    New changeset 6447b9f by Miss Islington (bot) in branch '3.8':
    bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
    6447b9f

    @vstinner
    Copy link
    Member

    @Dong-Hee Na: Would you mind to try to backport the change to Python 2.7 which also has the bug?

    @corona10
    Copy link
    Member

    Sure!

    @ned-deily
    Copy link
    Member

    New changeset 1698cac by Ned Deily (Victor Stinner) in branch '3.6':
    bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441)
    1698cac

    @vstinner
    Copy link
    Member

    vstinner commented Oct 1, 2019

    New changeset 8eb6415 by Victor Stinner (Dong-hee Na) in branch '2.7':
    [2.7] bpo-38243: Escape the server title of DocXMLRPCServer (GH-16447)
    8eb6415

    @corona10 corona10 closed this as completed Oct 1, 2019
    @vstinner
    Copy link
    Member

    vstinner commented Oct 1, 2019

    I prefer to keep it open until the 3.5 backport is merged.

    @vstinner vstinner reopened this Oct 1, 2019
    @corona10
    Copy link
    Member

    corona10 commented Oct 1, 2019

    I prefer to keep it open until the 3.5 backport is merged.
    Sorry, I didn't find it.
    Yes, we should let it open until the PR is merged.

    @larryhastings
    Copy link
    Contributor

    New changeset 3fe1b19 by larryhastings (Victor Stinner) in branch '3.5':
    bpo-38243, xmlrpc.server: Escape the server_title (GH-16373) (GH-16441) (bpo-16516)
    3fe1b19

    @vstinner
    Copy link
    Member

    CVE-2019-16935 has been assigned to this vulnerability.

    @vstinner vstinner changed the title A reflected XSS in python/Lib/DocXMLRPCServer.py [security][CVE-2019-16935] A reflected XSS in python/Lib/DocXMLRPCServer.py Feb 11, 2020
    @vstinner
    Copy link
    Member

    Charalampos Strataris's advice: If you backport the security fix and test_docxmlrpc starts to hang randomly, you should also backport bpo-27614 fix. For example, it's the commit 3911d83 for Python 2.7. We had the issue on RHEL 7.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Labels
    3.7 (EOL) end of life 3.8 only security fixes 3.9 only security fixes stdlib Python modules in the Lib dir type-security A security issue
    Projects
    None yet
    Development

    No branches or pull requests

    6 participants