-
-
Notifications
You must be signed in to change notification settings - Fork 30.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2019-18348: CRLF injection via the host part of the url passed to urlopen() #82757
Comments
Copy-pasted from https://bugs.python.org/issue30458#msg347282 ================ The URL comes from the first message of this issue: Development branches 2.7 and master produce a similar output: Traceback (most recent call last):
...
Exception: (('127.0.0.1\r\n hihi\r\n ', 11211), ..., None) So urllib2/urllib.request actually does a real network connection (DNS query), whereas it should reject control characters in the "host" part of the URL. A second problem comes into the game. Some C libraries like glibc strip the end of the hostname (strip at the first newline character) and so HTTP Header injection is still possible is this case: According to the RFC 3986, the "host" grammar doesn't allow any control character, it looks like: host = IP-literal / IPv4address / reg-name ALPHA (letters) IP-literal = "[" ( IPv6address / IPvFuture ) "]" CVE-2019-18348 was assigned to this flaw, which is similar to CVE-2019-9947 and CVE-2019-9740 but it is about the *host* part of a url. |
Can't see the specifics of that "restricted" redhat bug, but this was interesting bug and I wanted to ask if perhaps the domain in such cases should be IDN / punycoded ://xn--n28h.ws/ for example is ://💩.la |
The glibc issue mentioned in the first comment is CVE-2016-10739 . |
Just to say this is reproducible only on rather old enterprise Linux distributions, where CVE-2016-10739 bug in glibc has not been fixed. I believe it means RHEL-6, SUSE SLE-10, 11, 12 (not sure whether it applies to some old Debian as well). |
Thanks for the PR Ashwin! |
If anyone cares about 2.7, the *final* release is coming up in a few weeks. They'll need to figure out what it looks like there and get a 2.7 PR reviewed by the release manager. |
marking as a 2.7 release blocker just to get benjamin's RM attention before the final 2.7. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: