Message 306540 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	vstinner
Recipients	vstinner
Date	2017-11-20.13:49:15
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1511185756.0.0.213398074469.issue32084@psf.upfronthosting.co.za>
In-reply-to

Content
iDer reported a vulnerability in the HTTP server. (1) Start a local HTTP server (listen to tcp/8000): python3 -m http.server 8000 (2) Open a web browser and to go: http://localhost:8000//www.python.org/%2f.. => the browser is redirected to http://www.python.org/%2f../ (on this example, the python.org web server redirects to https://www.python.org/%2f../ ) Raw HTTP to see the HTTP redirection using netcat: --- $ echo -ne "GET //www.python.org/%2f.. HTTP/1.0\n\n" \| nc localhost 8000 HTTP/1.0 301 Moved Permanently Server: SimpleHTTP/0.6 Python/3.6.2 Date: Mon, 20 Nov 2017 13:31:42 GMT Location: //www.python.org/%2f../ --- The problem is in the SimpleHTTPRequestHandler.send_head() function: * self.path = '//www.python.org/%2f..' * translate_path() translates '//www.python.org//..' path to self.directory (the current directory by default). * isdir(self.directory) is True but self.path doesn't send with '/', so send_head() creates a HTTP redirection (HTTP 301) * The redirection URL is '//www.python.org/%2f../'. Extract of the raw HTTP: "Location: //www.python.org/%2f../" The web browsers translates the URL '//www.python.org/%2f../' to "http://www.python.org/%2f../"... It surprised me, but ok, it's a fact. I'm not sure what is the best way to fix this vulnerability without rejecting valid HTTP requests. IMHO the root issue is the redirection URL starting with "//". I would expect something like "localhost//". The problem is that I'm not sure that the HTTP server knows its own "external" hostname. "localhost" is wrong is the server is accessed from the outside. Maybe the server must just fail on that case? This vulnerabilility was reported to the Python Security Response Team (PSRT) at October 18, 2017 (one month ago). Since no obvious fix was found, it was decided to make the vulnerability public to get more eyes on it to find a quick fix. Note: I'm not sure that this vulnerability is important, since the redirected URL ends with "/%2f../" which should be rejected by any correct HTTP Server (say, not the Python builtin "simple" HTTP server...).

iDer reported a vulnerability in the HTTP server.

(1) Start a local HTTP server (listen to tcp/8000):

python3 -m http.server 8000

(2) Open a web browser and to go:

http://localhost:8000//www.python.org/%2f..

=> the browser is redirected to http://www.python.org/%2f../

(on this example, the python.org web server redirects to https://www.python.org/%2f../ )


Raw HTTP to see the HTTP redirection using netcat:
---
$ echo -ne "GET //www.python.org/%2f.. HTTP/1.0\n\n" | nc localhost 8000
HTTP/1.0 301 Moved Permanently
Server: SimpleHTTP/0.6 Python/3.6.2
Date: Mon, 20 Nov 2017 13:31:42 GMT
Location: //www.python.org/%2f../
---

The problem is in the SimpleHTTPRequestHandler.send_head() function:

* self.path = '//www.python.org/%2f..'
* translate_path() translates '//www.python.org//..' path to self.directory (the current directory by default).
* isdir(self.directory) is True but self.path doesn't send with '/', so send_head() creates a HTTP redirection (HTTP 301)
* The redirection URL is '//www.python.org/%2f../'. Extract of the raw HTTP: "Location: //www.python.org/%2f../"

The web browsers translates the URL '//www.python.org/%2f../' to "http://www.python.org/%2f../"... It surprised me, but ok, it's a fact.

I'm not sure what is the best way to fix this vulnerability without rejecting valid HTTP requests.

IMHO the root issue is the redirection URL starting with "//". I would expect something like "localhost//". The problem is that I'm not sure that the HTTP server knows its own "external" hostname. "localhost" is wrong is the server is accessed from the outside. Maybe the server must just fail on that case?


This vulnerabilility was reported to the Python Security Response Team (PSRT) at October 18, 2017 (one month ago). Since no obvious fix was found, it was decided to make the vulnerability public to get more eyes on it to find a quick fix.

Note: I'm not sure that this vulnerability is important, since the redirected URL ends with "/%2f../" which should be rejected by any correct HTTP Server (say, not the Python builtin "simple" HTTP server...).

History
Date	User	Action	Args
2017-11-20 13:49:16	vstinner	set	recipients: + vstinner
2017-11-20 13:49:16	vstinner	set	messageid: <1511185756.0.0.213398074469.issue32084@psf.upfronthosting.co.za>
2017-11-20 13:49:15	vstinner	link	issue32084 messages
2017-11-20 13:49:15	vstinner	create