You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Tornado should set pycurl.PROTOCOLS option to pycurl.PROTO_HTTP|pycurl.PROTO_HTTPS.
There are many real-world applications using tornado HTTP client to fetch data from user-provided URLs.
Tornado doesn't filter protocols in provided URLs making it possible to abuse its HTTP client like this:
#!/usr/bin/env python3
# coding: utf-8
import tornado.ioloop, tornado.gen, tornado.httpclient, tornado.curl_httpclient
@tornado.gen.coroutine
def main():
tornado.httpclient.AsyncHTTPClient.configure("tornado.curl_httpclient.CurlAsyncHTTPClient")
for url in ('file:///etc/passwd','telnet://time-c.nist.gov:13'):
res = yield tornado.httpclient.AsyncHTTPClient().fetch(url, raise_error=False)
print(res.body.decode('utf-8','replace'))
if __name__ == "__main__":
main().add_done_callback(lambda x: tornado.ioloop.IOLoop.current().stop())
tornado.ioloop.IOLoop.current().start()
The text was updated successfully, but these errors were encountered:
Tornado should set
pycurl.PROTOCOLS
option topycurl.PROTO_HTTP|pycurl.PROTO_HTTPS
.There are many real-world applications using tornado HTTP client to fetch data from user-provided URLs.
Tornado doesn't filter protocols in provided URLs making it possible to abuse its HTTP client like this:
The text was updated successfully, but these errors were encountered: