Author vstinner
Recipients gregory.p.smith, martin.panter, orange, serhiy.storchaka, vstinner, ware, xiang.zhang, xtreak
Date 2019-04-10.10:36:15
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1554892575.98.0.457417082583.issue30458@roundup.psfhosted.org>
In-reply-to
Content
Oh, I didn't recall that this issue (this class of security vulnerabilities) has a so old history. I found *A LOT* of similar open issues. Here are my notes. Maybe most open issues should be closed as duplicate of this one to clarify the status of urllib in Python? :-)

Emails:

* 2019: https://mail.python.org/pipermail/python-dev/2019-April/157014.html
* 2017: https://mail.python.org/pipermail/python-dev/2017-July/148699.html

Open issues:

* 2011, bpo-13359: "urllib2 doesn't escape spaces in http requests"
  Not marked as a security issue.
* 2012, bpo-14826: "urlopen URL with unescaped space"
  Fix using quote(self.__original, safe="%/:=&?~#+!$,;'@()*[]|")
  ... and the changed has then be reverted because it broke buildbots.
  Still open.
* 2013, bpo-17322: "urllib.request add_header() currently allows trailing spaces (and other weird stuff)"
  Not marked as a security issue.
* 2014, bpo-22928: "HTTP header injection in urrlib2/urllib/httplib/http.client (CVE-2016-5699)"
  Marked as fixed, but user Orange explained in the first comment of  in
  bpo-30458 that the fix is incomplete.
* 2017, bpo-30458: "[CVE-2019-9740][security] CRLF Injection in httplib" (this issue)
* 2017, bpo-32085: "[Security] A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages!"
* 2019, bpo-35906: "[CVE-2019-9947] Header Injection in urllib" (another CVE!)

Closed issues:

* 2004, bpo-918368: "urllib doesn't correct server returned urls" (urllib)
  FIXED BY: commit 7c2867fcb1ade429a41e030585332ea26e3f60e1
  Fix: fullurl = quote(fullurl, safe="%/:=&?~#+!$,;'@()*[]")
* 2005, bpo-1353433: "Http redirection error in urllib2.py" (urllib2)
  FIXED BY: commit ddb84d7c69addc5d5e2ab3e327260d97b52af3a7
  Fix: newurl = newurl.replace(' ', '%20')
* 2005, bpo-1153027: "http_error_302() crashes with 'HTTP/1.1 400 Bad Request"
  FIXED BY: commit 690ce9b353bc0a86d0886470adbaa50e813de3b8 (Lib/urllib/request.py)
  Fix: fullurl = quote(fullurl, safe="%/:=&?~#+!$,;'@()*[]")
* bpo-29606: "urllib FTP protocol stream injection"
  Duplicate of bpo-30119.
* bpo-30119: "(ftplib) A remote attacker could possibly attack by containing the newline characters"
  FIXED BY: commmit 8c2d4cf092c5f0335e7982392a33927579c4d512
  Fix: reject "\r" and "\n" in FTP.putline() (Lib/ftplib.py)
* bpo-36276: "[CVE-2019-9740] Python urllib CRLF injection vulnerability"
  Closed as duplicate of bpo-30458

Rejected pull requests:

* https://github.com/python/cpython/pull/1216/files
  bpo-29606: Reject "\n" in ftp_open() of Lib/urllib/request.py
* https://github.com/python/cpython/pull/2800/files
  bpo-29606: Reject "\n" in ftp_open() and open_ftp() of Lib/urllib/request.py
* https://github.com/python/cpython/pull/2301/files
  bpo-30713: The splittype(), splitport() and splithost() functions of the
  urllib.parse module now reject URLs which contain a newline character.
* https://github.com/python/cpython/pull/2303/files
  bpo-30713: The splittype(), splitport() and splithost() functions of the
  urllib.parse module now reject URLs which contain a newline character, but
  splittype() accepts newlines after the type.
History
Date User Action Args
2019-04-10 10:36:16vstinnersetrecipients: + vstinner, gregory.p.smith, martin.panter, serhiy.storchaka, xiang.zhang, orange, xtreak, ware
2019-04-10 10:36:15vstinnersetmessageid: <1554892575.98.0.457417082583.issue30458@roundup.psfhosted.org>
2019-04-10 10:36:15vstinnerlinkissue30458 messages
2019-04-10 10:36:15vstinnercreate