Message 339852 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	xtreak
Recipients	gregory.p.smith, martin.panter, orange, serhiy.storchaka, vstinner, ware, xiang.zhang, xtreak
Date	2019-04-10.10:59:20
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1554893960.96.0.00473338222228.issue30458@roundup.psfhosted.org>
In-reply-to

Content
As @gregory.p.smith noted in GitHub [0] this fixes only protocol level bugs. There are some parsing ambiguities in urllib that are potential security issues still to be fixed. issue20271 - urllib.urlparse('http://benign.com\[attacker.com]') returns attacker.com as hostname . A slightly related issue https://bugs.python.org/issue20271 issue35748 - urllib.urlparse(r'http://spam\eggs!cheese&aardvark@evil.com') returns evil.com as hostname issue23505 - Urlparse insufficient validation leads to open redirect issue33661 - urllib may leak sensitive HTTP headers to a third-party web site (Redirecting from https to http might also pass some headers in plain text. This behavior was changed in requests, golang, Curl that had their own respective CVEs) As a fun side note this vulnerability was used by one of our own tests as a feature from 2012 to test another security issue (issue14001) [1] :) [0] https://github.com/python/cpython/pull/12755#issuecomment-481599611 [1] https://github.com/python/cpython/pull/12755#issuecomment-481618741

As @gregory.p.smith noted in GitHub [0] this fixes only protocol level bugs. There are some parsing ambiguities in urllib that are potential security issues still to be fixed.

issue20271 - urllib.urlparse('http://benign.com\[attacker.com]') returns attacker.com as hostname . A slightly related issue https://bugs.python.org/issue20271
issue35748 - urllib.urlparse(r'http://spam\eggs!cheese&aardvark@evil.com') returns evil.com as hostname
issue23505 - Urlparse insufficient validation leads to open redirect
issue33661 - urllib may leak sensitive HTTP headers to a third-party web site (Redirecting from https to http might also pass some headers in plain text. This behavior was changed in requests, golang, Curl that had their own respective CVEs)

As a fun side note this vulnerability was used by one of our own tests as a feature from 2012 to test another security issue (issue14001) [1] :) 

[0] https://github.com/python/cpython/pull/12755#issuecomment-481599611
[1] https://github.com/python/cpython/pull/12755#issuecomment-481618741

History
Date	User	Action	Args
2019-04-10 10:59:20	xtreak	set	recipients: + xtreak, gregory.p.smith, vstinner, martin.panter, serhiy.storchaka, xiang.zhang, orange, ware
2019-04-10 10:59:20	xtreak	set	messageid: <1554893960.96.0.00473338222228.issue30458@roundup.psfhosted.org>
2019-04-10 10:59:20	xtreak	link	issue30458 messages
2019-04-10 10:59:20	xtreak	create