Author orsenthil
Recipients orsenthil
Date 2021-04-18.19:36:58
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1618774620.3.0.412025280445.issue43882@roundup.psfhosted.org>
In-reply-to
Content
A security issue was reported by Mike Lissner wherein an attacker was able to use `\r\n` in the url path, the urlparse method didn't sanitize and allowed those characters be present in the request.

> In [9]: from urllib.parse import urlsplit
> In [10]: urlsplit("java\nscript:alert('bad')")
> Out[10]: SplitResult(scheme='', netloc='', path="java\nscript:alert('bad')", query='', fragment='')



Firefox and other browsers ignore newlines in the scheme. From
the browser console:

>> new URL("java\nscript:alert(bad)")
<< URL { href: "javascript:alert(bad)", origin: "null", protocol:
"javascript:", username: "", password: "", host: "", hostname: "", port: "", pathname: "alert(bad)", search: "" 

Mozilla Developers informed about the controlling specification for URLs is in fact defined by the "URL Spec"
from WHATWG which updates RFC 3986 and specifies that tabs and newlines
should be stripped from the scheme.

See: https://url.spec.whatwg.org/#concept-basic-url-parser

That link defines an automaton for URL parsing. From that link, steps 2 and 3 of scheme parsing read:

If input contains any ASCII tab or newline, validation error.
3. Remove all ASCII tab or newline from input.

---- 


urlparse module behavior should be updated, and an ASCII tab or newline should be removed from the url (sanitized) before it is sent to the request, as WHATWG spec.
History
Date User Action Args
2021-04-18 19:37:00orsenthilsetrecipients: + orsenthil
2021-04-18 19:37:00orsenthilsetmessageid: <1618774620.3.0.412025280445.issue43882@roundup.psfhosted.org>
2021-04-18 19:37:00orsenthillinkissue43882 messages
2021-04-18 19:36:58orsenthilcreate