[Python-Dev] Need help to fix HTTP Header Injection vulnerability

Gregory P. Smith greg at krypto.org
Tue Apr 9 20:41:27 EDT 2019


On Tue, Apr 9, 2019 at 4:45 PM Karthikeyan <tir.karthi at gmail.com> wrote:

> I would recommend fixing it since it's potentially remote code execution
> on systems like Redis (latest versions of Redis have this mitigated) though
> I must admit I don't fully understand the complexity since there are
> multiple issues linked. Go was also assigned a CVE for linked issue and it
> seemed to be the same reporter by username : CVE-2019-9741 . I tried using
> go's approach in the commit but urlopen accepts more URLs like data URLs
> [0] that seemed to accept \n as a valid case and the patch broke some
> tests. Looking at the issue discussion complexity also involves backwards
> compatibility. golang also pushed an initial fix that seemed to broke their
> internal tests [0] to arrive at a more simpler fix.
>
> [0]
> https://github.com/python/cpython/blob/a40681dd5db8deaf05a635eecb91498dac882aa4/Lib/test/test_urllib.py#L482
> [1]
> https://go-review.googlesource.com/c/go/+/159157/2#message-39c6be13a192bf760f6318ac641b432a6ab8fdc8
>
> --
> Regards,
> Karthikeyan S
>

useful references, thanks!  limiting the checks to only http and https as
those are the text based protocols with urls transmitted in text form makes
sense and avoids the data: test failures.

proposed simple fix in https://github.com/python/cpython/pull/12755

but tests are needed as is an audit of the code to see where else we may
potentially need to do such things.

-gps
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20190409/22802cd3/attachment.html>


More information about the Python-Dev mailing list