New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
redirect() doesn't filter "\r\n" leads to CRLF attack #913
Comments
|
Is this a flaw present when setting any header? |
|
Yes, response.set_header function is also affected |
|
It might be a good idea to check against illegal characters in |
|
I just tested webpy and flask, they raise an exception when there are invalid characters in header. If developer want to set two response headers, he should call |
|
On a second thought, a simple check for '\n' won't hurt much. |
Bottle now checks against certain control characters (\n, \r and \0) in header names or values and raises a ValueError if the application tries to set an invalid header.
|
Related to CVE-2016-9964 @defnull using the redirect shown by 5alt the header value check is not being performed. |
The previous fix (6d7e13d) was incomplete.
The previous fix (6d7e13d) was incomplete.
|
Oh, yes, I forgot that BaseResponse bypasses I'm a bit surprised that this spawned a CVE. Bottle on its own is not vulnerable. You need a (very) vulnerable application to trigger this behavior. If you pass untrusted user-input to library functions then it should not be a surprise that bad thinks might happen. |
|
I'll re-open until the release with the fix is published. |
* fix #913: redirect() doesn't filter "\r\n" leads to CRLF attack (CVE-2016-9964) #913
|
Done :) https://pypi.python.org/pypi/bottle/0.12.11 Thanks for the report and help. |
"\r\n" sequences were not properly filtered when handling redirections. This allowed an attacker to perform CRLF attacks such as HTTP header injection: bottlepy/bottle#913 Python-bottle now uses setuptools instead of distutils. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
Btw. this issue has been reported almost three years ago in #573 without any official response. |
|
I still agree with @RonRothman on that old issue, and his response was probably the reason why I did not feel the need to respond 'officially':
In the end, the additional check was easy to do and the overhead does not hurt that much. The CVE was still unnecessary IMHO, as this is not a bug in bottle, but in a hypothetical application using bottle in an notoriously wrong way. You would not issue a CVE for an SQL server because it happily accepts SQL injected queries either. |
"\r\n" sequences were not properly filtered when handling redirections. This allowed an attacker to perform CRLF attacks such as HTTP header injection: bottlepy/bottle#913 Python-bottle now uses setuptools instead of distutils. Signed-off-by: Peter Korsgaard <peter@korsgaard.com> (cherry picked from commit aa64e33)
Hi,
redirect()doesn't filter "\r\n" which leads to CRLF attack.For example, I use
redirect("233\r\nSet-Cookie: name=salt")can set a new cookie in the client side.:P
The text was updated successfully, but these errors were encountered: