New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible HTTP Response Splitting Vulnerability #217

Closed
liquidworm opened this Issue Oct 7, 2015 · 2 comments

Comments

Projects
None yet
3 participants
@liquidworm
Copy link

liquidworm commented Oct 7, 2015

Hi,

Please review the published advisory, probably it's in the API WebOb which is not documented here: http://docs.webob.org/en/latest/api/exceptions.html

Probably there are other WebOb applications with similar issues.

Here is the advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php

Thanks

@bertjwregeer

This comment has been minimized.

Copy link
Member

bertjwregeer commented Oct 7, 2015

Okay, so some sample code to make this a little more clear:

def test_HTTPMove_location_newlines():
    def start_response(status, headers, exc_info=None):
        print(headers)
        pass
    environ = {
       'wsgi.url_scheme': 'HTTP',
       'SERVER_NAME': 'localhost',
       'SERVER_PORT': '80',
       'REQUEST_METHOD': 'HEAD',
       'PATH_INFO': '/',
    }
    m = webob_exc._HTTPMove(location='http://example.com\r\nX-Test: false')
    m( environ, start_response )

The data that is printed is:

[
    ('Content-Type', 'text/html; charset=UTF-8'),
    ('Content-Length', '0'),
    ('Location', 'http://example.com\r\nX-Test: false')
]

This is passed off to start_response(), which is generally provided by a WSGI compatible server. I don't believe it's WebOb's responsibility to sanitize header information being sent to the WSGI server.

@GrahamDumpleton

This comment has been minimized.

Copy link

GrahamDumpleton commented Dec 29, 2015

FWIW. Apache/mod_wsgi should raise a ValueError exception out of start_response() if given a header value with embedded \r or \n.

Many other WSGI servers, if not perhaps all of them, don't bother with such validation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment