Message 281546 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	RAUSHAN RAJ
Recipients	RAUSHAN RAJ
Date	2016-11-23.08:52:51
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1479891172.05.0.173710900147.issue28778@psf.upfronthosting.co.za>
In-reply-to

Content
https://www.owasp.org/index.php/CRLF_Injection Issue is in wsgiref.headers – WSGI response header tools This module provides a single class, Headers, for convenient manipulation of WSGI response headers using a mapping-like interface. class wsgiref.headers.Headers(headers) Example: import wsgiref.headers as hd h=hd.Headers([]) h.add_header(' Content-type'+chr(10)+'set-cook:5', 'text/plain') h Headers([(' Content-type\nset-cook:5', 'text/plain')]) str(h) ' Content-type\nset-cook:5: text/plain\r\n\r\n' Response in Browser looks like this: Inline image 1 An attacker could use this flaw to inject additional headers in a Python application that allowed user provided header names or values. Also, No whitespace is allowed between the header field-name and colon. In the past, differences in the handling of such whitespace have led to security vulnerabilities in request routing and response handling. A server MUST reject any received request message that contains whitespace between a header field-name and colon with a response code of 400 (Bad Request). A proxy MUST remove any such whitespace from a response message before forwarding the message downstream. But add_header function allow whitespaces also. Tested for python 2.7.9 and python 3.5.1 For reference , it is related to (In this case request header injection is possible) https://bugs.python.org/issue22928 http://bugs.python.org/issue17322

https://www.owasp.org/index.php/CRLF_Injection

Issue is in wsgiref.headers – WSGI response header tools 
This module provides a single class, Headers, for convenient manipulation of WSGI response headers using a mapping-like interface.
class wsgiref.headers.Headers(headers)

Example:
import wsgiref.headers as hd
h=hd.Headers([])
h.add_header(' Content-type'+chr(10)+'set-cook:5', 'text/plain')
h
Headers([(' Content-type\nset-cook:5', 'text/plain')])
str(h)
' Content-type\nset-cook:5: text/plain\r\n\r\n'

Response in Browser looks like this:

Inline image 1
An attacker could use this flaw to inject additional headers in a Python application that allowed user provided header names or values.

Also,
No whitespace is allowed between the header field-name and colon. In
the past, differences in the handling of such whitespace have led to
security vulnerabilities in request routing and response handling. A
server MUST reject any received request message that contains
whitespace between a header field-name and colon with a response code
of 400 (Bad Request). A proxy MUST remove any such whitespace from a
response message before forwarding the message downstream.

But add_header function allow whitespaces also.

Tested for python 2.7.9 and python 3.5.1

For reference , it is related to (In this case request header injection is possible)
https://bugs.python.org/issue22928
http://bugs.python.org/issue17322

History
Date	User	Action	Args
2016-11-23 08:52:52	RAUSHAN RAJ	set	recipients: + RAUSHAN RAJ
2016-11-23 08:52:52	RAUSHAN RAJ	set	messageid: <1479891172.05.0.173710900147.issue28778@psf.upfronthosting.co.za>
2016-11-23 08:52:52	RAUSHAN RAJ	link	issue28778 messages
2016-11-23 08:52:51	RAUSHAN RAJ	create