-
-
Notifications
You must be signed in to change notification settings - Fork 30.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[security][CVE-2019-16935] A reflected XSS in python/Lib/DocXMLRPCServer.py #82424
Comments
It's "Lib/DocXMLRPCServer.py" in python2x or "Lib/xmlrpc/server.py" in python3x. Steps to reproduce: 1.Lib/DocXMLRPCServer.py is “a documenting XML-RPC Server“,In the Class ServerHTMLDoc, method markup(), will escape the Special symbols to safe(such as <," etc). |
Thanks for the report. There is a policy to report security vulnerabilities in CPython : https://www.python.org/news/security/. |
Looks like this issue can be solved by below code changed. @@ -833,7 +834,7 @@ class XMLRPCDocGenerator:
+ self.server_title = html.escape(server_title) |
I've proposed the patch on GitHub which escaping the server_title when the documenter.page is called. (It different point with msg353132. |
The private security mailing list has been contacted first and we advice to open a public issue since we consider that it's not a major security issue. To exploit this bug, the attacker has to control the XML-RPC server title. |
The attached poc.py seems to show that server name and server documentation are not escaped neither. server.set_server_name('test<script>')
server.set_server_documentation('test<script>') Well, please write a test to check that ;-) |
Thank you for the feedback. |
@Dong-Hee Na: Would you mind to try to backport the change to Python 2.7 which also has the bug? |
Sure! |
I prefer to keep it open until the 3.5 backport is merged. |
|
CVE-2019-16935 has been assigned to this vulnerability. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: