Author devin
Recipients Arfrever, devin, giampaolo.rodola, socketpair
Date 2013-02-23.19:52:12
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1361649132.58.0.983892154936.issue11259@psf.upfronthosting.co.za>
In-reply-to
Content
I agree that this is probably a bug, but can't think of any instances where this in itself would cause a security issue. By sending something like a negative Content-Length, you do indeed get data returned that doesn't really match the data sent on the wire. If you're able to manipulate the Content-Length, though, instead of sending a negative value num, you could instead send len(data) + num.

Here's a simple example I was able to come up with:

Server reads data and runs "echo -n > {data}" (or any write the file specified in "data").
Client is supposed to send Content-Length, then that many bytes, expected to be a file that should be written to.
Client instead sends "-4\n/etc/passwd.bak".
Server runs "echo -n > /etc/passwd".

So that's certainly unexpected bahavior. However, this is a fairly low-level module, and doesn't actually do anything with the data it collects. That's left to the subclass, and subclasses should be responsible for validating any data read off the wire before using it.

Attached is a patch to tip, including a new test case.
History
Date User Action Args
2013-02-23 19:52:12devinsetrecipients: + devin, giampaolo.rodola, Arfrever, socketpair
2013-02-23 19:52:12devinsetmessageid: <1361649132.58.0.983892154936.issue11259@psf.upfronthosting.co.za>
2013-02-23 19:52:12devinlinkissue11259 messages
2013-02-23 19:52:12devincreate